[Koha-devel] "IP address has changed. Please log in again"
Galen Charlton
gmc at esilibrary.com
Thu May 30 20:18:11 CEST 2013
Hi,
On Wed, May 29, 2013 at 3:58 PM, Robin Sheat <robin at catalyst.net.nz> wrote:
> Standard session cookies combined with running over HTTPS is really the
> only way. It comes down to threat modelling really: is session hijacking
> something that you feel you care about? (It's perfectly reasonable to
> say either yes, no, or only on the staff client, depending on your
> circumstances.)
I'd personally be happy with requiring SSL for the staff interface and
the OPAC throughout on the basis that patron information is sensitive
enough to demand that level of care.
However, because of the general support issues that would arise around
SSL certs, I suspect that Koha jumping on the HTTPS Everywhere
bandwagon will likely have to remain a recommended practice rather
than a requirement or installation default.
> To make it a bit more secure we could use a different session for the
> staff client vs. the OPAC. At the moment we use the same for both, so
> someone capturing a session cookie from a staff member logged into the
> OPAC can use that to access the staff client.
I think this is a good idea.
Regards,
Galen
--
Galen Charlton
Manager of Implementation
Equinox Software, Inc. / The Open Source Experts
email: gmc at esilibrary.com
direct: +1 770-709-5581
cell: +1 404-984-4366
skype: gmcharlt
web: http://www.esilibrary.com/
Supporting Koha and Evergreen: http://koha-community.org &
http://evergreen-ils.org
More information about the Koha-devel
mailing list