[ic] Admin/Login Bug?!

[Greg Goble]

Mike Heins wrote:
> > >
> > > Here's a URL to IC's demo1 admin area. See if you get prompted
> > > for the username & password.
> > > http://demo.icdevgroup.org/i/demo1/admin/customer.html?showactive=
> > > 1&id=TwXw32cc&mv_pc=17
> > >
> > > Granted if the IC's demo1 clears its session ID's between now and
> > > the you all receive it, it may not work. So try it yourself.
> > >
> > > Immediate attention, clarification and support is greatly
> appreciated.
> >
> > I'm pretty sure Interchange's session handling stops
> session hyjacking in
> > the way you describe. Granted, if you disable cookies and
> run your tests on
> > the same machine (same IP address) you may appear to be
> hyjacking a session.
>
> This is true, and it is why we have the IP address
> qualification turned on
> by default.
>
> If you set WideOpen Yes, you can do it. Which is why I suggest
> lowering SessionExpire to 20 minutes or less if you run WideOpen.
>
> You can reduce your exposure to this by running the UI via
> https.

IC Team,

First of all, thanks to all of you for your inputs. Issues on security should also raise an eyebrow or two, especially the
seriousness of it and the more opinions/experience expressed the better.

At least now I know it is/was an 'issue', it has been addressed and lastly there are ways to address it.

Oddly enough, I don't see OpenWide in my catalog.cfg (or intechange.cfg). I was expecting to see either OpenWide No or Yes set,
according to Mike's & Ed's remarks. If not/not having the latter listed in my catalog.cfg is the same as OpenWide No then I'm okay
with that. Can someone confirm this, please. I also do not have SessionExpire in my catalog.cfg. Should I?

I'm running IC4.8.5

Thanks again, Greg G.