[ic] Admin/Login Bug?!

[Jonathan Clark]

> > > >
> > > > Here's a URL to IC's demo1 admin area. See if you get prompted
> > > > for the username & password.
> > > > http://demo.icdevgroup.org/i/demo1/admin/customer.html?showactive=
> > > > 1&id=TwXw32cc&mv_pc=17
> > > >
> > > > Granted if the IC's demo1 clears its session ID's between now and
> > > > the you all receive it, it may not work. So try it yourself.
> > > >
> > > > Immediate attention, clarification and support is greatly
> > appreciated.
> > >
> > > I'm pretty sure Interchange's session handling stops
> > session hyjacking in
> > > the way you describe. Granted, if you disable cookies and
> > run your tests on
> > > the same machine (same IP address) you may appear to be
> > hyjacking a session.
> >
> > This is true, and it is why we have the IP address
> > qualification turned on
> > by default.
> >
> > If you set WideOpen Yes, you can do it. Which is why I suggest
> > lowering SessionExpire to 20 minutes or less if you run WideOpen.
> >
> > You can reduce your exposure to this by running the UI via
> > https.
>
> IC Team,
>
> First of all, thanks to all of you for your inputs. Issues on
> security should also raise an eyebrow or two, especially the
> seriousness of it and the more opinions/experience expressed the better.
>
> At least now I know it is/was an 'issue', it has been addressed
> and lastly there are ways to address it.

Is/was an issue? I disagree with this. The behaviour you are experiencing is
as expected, and I would not consider that the same person, revisiting the
same site and getting the same session is an _issue_, I would consider it
desirable. In fact, imagine that this _never_ happened.. that would in
effect mean each page request would be considered a new visitor to the
site - the net result would be no sessions at all.

>
> Oddly enough, I don't see OpenWide in my catalog.cfg (or
> intechange.cfg). I was expecting to see either OpenWide No or Yes set,
> according to Mike's & Ed's remarks. If not/not having the latter
> listed in my catalog.cfg is the same as OpenWide No then I'm okay
> with that. Can someone confirm this, please. I also do not have
> SessionExpire in my catalog.cfg. Should I?

The default for WideOpen is No, so not having the directive at all is the
more secure setting.

Using SessionExpire is a way of reducing the life of a session. If you
visited your site, put something in the cart, went for a cup of tea and came
back, would you expect the item to still be in the cart? I would. If I came
back the next day I would not expect it to be there though.

What Mike was saying is that reducing this value means less time for someone
hyjacking a session (where WideOpen is Yes) to get in.

Jonathan
www.webmaint.net