[Koha-devel] "IP address has changed. Please log in again"
Robin Sheat
robin at catalyst.net.nz
Thu May 30 00:58:37 CEST 2013
Galen Charlton schreef op wo 29-05-2013 om 09:07 [-0700]:
> I'll ask the same question here that I asked in the bug: Given the
> continued existence of things like web proxy farms that can result in
> REMOTE_ADDR changing from request to request, are there any
> improvements in the state of the art for anti-session-hijacking
> measures that would reasonably allow us to remove the IP address check
> (or implement a syspref like Amit's patch tried)?
Standard session cookies combined with running over HTTPS is really the
only way. It comes down to threat modelling really: is session hijacking
something that you feel you care about? (It's perfectly reasonable to
say either yes, no, or only on the staff client, depending on your
circumstances.)
To make it a bit more secure we could use a different session for the
staff client vs. the OPAC. At the moment we use the same for both, so
someone capturing a session cookie from a staff member logged into the
OPAC can use that to access the staff client.
--
Robin Sheat
Catalyst IT Ltd.
✆ +64 4 803 2204
GPG: 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20130530/813d5aa7/attachment.pgp>
More information about the Koha-devel
mailing list