[Koha-bugs] [Bug 5511] Check for Change in Remote IP address for Session Security. Disable when remote ip address changes frequently.
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Jul 11 07:16:12 CEST 2012
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=5511
--- Comment #8 from Frère Sébastien Marie <semarie-koha at latrappe.fr> ---
(En réponse au commentaire 7)
> One of our customers ran into this recently. Given the continued existence
> of things like web proxy farms that can result in REMOTE_ADDR changing from
> request to request, a general question -- are there any improvements in the
> state of the art for anti-session-hijacking measures that would reasonably
> allow us to remove the IP address check (or implement a syspref like Amit's
> patch tried)?
If I remember well, the patch disable by default IP restriction. It is bad:
hijacking will be easy (just need to steal cookie, with XSS for example).
> IMO, a "restrict session by this IP ? Y/n" widget on the login form doesn't
> seem like a friendly UI choice.
but bugzilla propose the same on logon (and advice that is better to run with).
It should be ok with a system with a syspref "session restriction by IP"
- always (and no choice at logon)
- yes (choice at logon and yes by default)
- no (choice at logon and no by default)
- never (and no choice at logon)
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list