[ic] Admin/Login Bug?!
Joachim Leidinger
interchange-users@icdevgroup.org
Thu Feb 20 08:12:22 2003
Greg Goble wrote:
> Mike Heins wrote:
.....
>>>I'm pretty sure Interchange's session handling stops
>>
>>session hyjacking in
>>
>>>the way you describe. Granted, if you disable cookies and
>>
>>run your tests on
>>
>>>the same machine (same IP address) you may appear to be
>>
>>hyjacking a session.
>>
>>This is true, and it is why we have the IP address
>>qualification turned on
>>by default.
>>
>>If you set WideOpen Yes, you can do it. Which is why I suggest
>>lowering SessionExpire to 20 minutes or less if you run WideOpen.
>>
>>You can reduce your exposure to this by running the UI via
>>https.
>
>
> IC Team,
>
> First of all, thanks to all of you for your inputs. Issues on security should also raise an eyebrow or two, especially the
> seriousness of it and the more opinions/experience expressed the better.
>
> At least now I know it is/was an 'issue', it has been addressed and lastly there are ways to address it.
>
> Oddly enough, I don't see OpenWide in my catalog.cfg (or intechange.cfg). I was expecting to see either OpenWide No or Yes set,
> according to Mike's & Ed's remarks. If not/not having the latter listed in my catalog.cfg is the same as OpenWide No then I'm okay
> with that. Can someone confirm this, please. I also do not have SessionExpire in my catalog.cfg. Should I?
>
> I'm running IC4.8.5
...
WideOpen! Not OpenWide!
{0} <FreeBSD 4.4-RELEASE-p2> [/home/ic485/lib/Vend]
(1022) mvend@BPA > grep Wide *
Config.pm: ['WideOpen', 'yesno', 'No'],
per default "No".
{0} <FreeBSD 4.4-RELEASE-p2> [/home/ic485/lib/Vend]
(1021) mvend@BPA > grep Expire *
Config.pm: ['SessionExpire', 'time', '1 hour'],
Config.pm: ['SaveExpire', 'time', '30 days'],
per default "1 hour".
If you want to set the SessenExpire add for example
SessionExpire 6 hours
in your catalog.cfg, if you want another time, instead of 1 hour.
Joachim
--
Hans-Joachim Leidinger
leidinger@bpanet.de
Black Point Arts Internet Solutions GmbH
Berner Strasse 117
60437 Frankfurt
Tel. 069-952-181-30
Fax. 069-952-181-41
Vertretungsberechtigt: Dirk Estenfeld
Handelsregister: HRB 50093 Frankfurt am Main
USt.-IdNr. de210106871
Besuchen Sie uns im Internet unter
--> http://www.bpanet.de
Wollen auch Sie Ihre Kunden schnell und unkompliziert über Neuigkeiten
informieren?
--> http://www.sendaround.de