[ic] New SecureProtect directive to prevent sidejacking
Mike Heins
mike at perusion.com
Sat Oct 30 03:51:41 UTC 2010
Quoting Peter (peter at pajamian.dhs.org):
> On 30/10/10 11:28, Josh Lavin wrote:
> > New SecureProtect configuration directive (sidejacking fix)
> >
> > Author: Mike Heins
> >
> > This is a defense to "sidejacking", the collection of a session cookie
> > by a host on an unsecure network. When SecureProtect is active, the
> > UserDB login process creates a passhash of the encrypted password. This,
> > along with username, login_table, and a "secret" set in the
> > configuration, is used to check subsequent secure accesses to the catalog.
>
> This is great. I've been wanting to implement something like this
> myself for ages but just haven't had the time.
>
> I take it that this only protects the session for secure pages, so if
> you implement this you should make sure that any important input or
> sharing of private details happens on a secure page (via the
> AlwaysSecure and ExtraSecure directives)?
You also need to have a logged in status to be protected. Obviously
you couldn't get to a secure login page otherwise....
--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.765.328.4479 <mike at perusion.com>
There comes a time when you should stop expecting other people to make
a big deal about your birthday. That time is age 12. -- Dave Barry
More information about the interchange-users
mailing list