[ic] Admin/Login Bug?!

Joachim Leidinger interchange-users@icdevgroup.org
Thu Feb 20 08:12:22 2003 

Greg Goble wrote:
> Mike Heins wrote:
.....
>>>I'm pretty sure Interchange's session handling stops
>>
>>session hyjacking in
>>
>>>the way you describe. Granted, if you disable cookies and
>>
>>run your tests on
>>
>>>the same machine (same IP address) you may appear to be
>>
>>hyjacking a session.
>>
>>This is true, and it is why we have the IP address
>>qualification turned on
>>by default.
>>
>>If you set WideOpen Yes, you can do it. Which is why I suggest
>>lowering SessionExpire to 20 minutes or less if you run WideOpen.
>>
>>You can reduce your exposure to this by running the UI via
>>https.
> 
> 
> IC Team,
> 
> First of all, thanks to all of you for your inputs. Issues on security should also raise an eyebrow or two, especially the
> seriousness of it and the more opinions/experience expressed the better.
> 
> At least now I know it is/was an 'issue', it has been addressed and lastly there are ways to address it.
> 
> Oddly enough, I don't see OpenWide in my catalog.cfg (or intechange.cfg). I was expecting to see either OpenWide No or Yes set,
> according to Mike's & Ed's remarks. If not/not having the latter listed in my catalog.cfg is the same as OpenWide No then I'm okay
> with that. Can someone confirm this, please. I also do not have SessionExpire in my catalog.cfg. Should I?
> 
> I'm running IC4.8.5
...

WideOpen! Not OpenWide!

{0} <FreeBSD 4.4-RELEASE-p2> [/home/ic485/lib/Vend] 
                           (1022) mvend@BPA > grep Wide *
Config.pm:      ['WideOpen',             'yesno',            'No'],

per default "No".

{0} <FreeBSD 4.4-RELEASE-p2> [/home/ic485/lib/Vend] 
                           (1021) mvend@BPA > grep Expire *
Config.pm:      ['SessionExpire',    'time',             '1 hour'],
Config.pm:      ['SaveExpire',       'time',             '30 days'],

per default "1 hour".

If you want to set the SessenExpire add for example

SessionExpire  6 hours

in your catalog.cfg, if you want another time, instead of 1 hour.


Joachim



-- 
Hans-Joachim Leidinger
leidinger@bpanet.de

Black Point Arts Internet Solutions GmbH
Berner Strasse 117
60437 Frankfurt
Tel. 069-952-181-30
Fax. 069-952-181-41

Vertretungsberechtigt: Dirk Estenfeld
Handelsregister: HRB 50093 Frankfurt am Main
USt.-IdNr. de210106871

Besuchen Sie uns im Internet unter
--> http://www.bpanet.de

Wollen auch Sie Ihre Kunden schnell und unkompliziert über Neuigkeiten
informieren?
--> http://www.sendaround.de