Galen Charlton schreef op wo 29-05-2013 om 09:07 [-0700]:
I'll ask the same question here that I asked in the bug: Given the continued existence of things like web proxy farms that can result in REMOTE_ADDR changing from request to request, are there any improvements in the state of the art for anti-session-hijacking measures that would reasonably allow us to remove the IP address check (or implement a syspref like Amit's patch tried)?
Standard session cookies combined with running over HTTPS is really the only way. It comes down to threat modelling really: is session hijacking something that you feel you care about? (It's perfectly reasonable to say either yes, no, or only on the staff client, depending on your circumstances.) To make it a bit more secure we could use a different session for the staff client vs. the OPAC. At the moment we use the same for both, so someone capturing a session cookie from a staff member logged into the OPAC can use that to access the staff client. -- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D