Galen Charlton schreef op wo 29-05-2013 om 09:07 [-0700]: > I'll ask the same question here that I asked in the bug: Given the > continued existence of things like web proxy farms that can result in > REMOTE_ADDR changing from request to request, are there any > improvements in the state of the art for anti-session-hijacking > measures that would reasonably allow us to remove the IP address check > (or implement a syspref like Amit's patch tried)?
Standard session cookies combined with running over HTTPS is really the only way. It comes down to threat modelling really: is session hijacking something that you feel you care about? (It's perfectly reasonable to say either yes, no, or only on the staff client, depending on your circumstances.) To make it a bit more secure we could use a different session for the staff client vs. the OPAC. At the moment we use the same for both, so someone capturing a session cookie from a staff member logged into the OPAC can use that to access the staff client. -- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Koha-devel mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
