Hi, On Wed, May 29, 2013 at 3:58 PM, Robin Sheat <[email protected]> wrote: > Standard session cookies combined with running over HTTPS is really the > only way. It comes down to threat modelling really: is session hijacking > something that you feel you care about? (It's perfectly reasonable to > say either yes, no, or only on the staff client, depending on your > circumstances.)
I'd personally be happy with requiring SSL for the staff interface and the OPAC throughout on the basis that patron information is sensitive enough to demand that level of care. However, because of the general support issues that would arise around SSL certs, I suspect that Koha jumping on the HTTPS Everywhere bandwagon will likely have to remain a recommended practice rather than a requirement or installation default. > To make it a bit more secure we could use a different session for the > staff client vs. the OPAC. At the moment we use the same for both, so > someone capturing a session cookie from a staff member logged into the > OPAC can use that to access the staff client. I think this is a good idea. Regards, Galen -- Galen Charlton Manager of Implementation Equinox Software, Inc. / The Open Source Experts email: [email protected] direct: +1 770-709-5581 cell: +1 404-984-4366 skype: gmcharlt web: http://www.esilibrary.com/ Supporting Koha and Evergreen: http://koha-community.org & http://evergreen-ils.org _______________________________________________ Koha-devel mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
