Name

WideOpen — disable IP-based qualification of user sessions (the directive degrades catalog security!)

SYNOPSIS

No | Yes

DESCRIPTION

The WideOpen directive disables IP-based qualification of user sessions, and everyone's hostname part of the Interchange cookie is set to nobody. This increases compatibility, but reduces catalog security.

When this directive is enabled, no IP-based checking is done, so anyone guessing and supplying a valid session ID can hijack other client's session.

The option was introduced to achieve more compatibility with old browsers, at cost of some security. Do not enable it unless your clients experience problems caused by IP addresses that change from access to access. Also do not use it unless you are using encryption (PGP/CreditCardAuto) or a real-time payment gateway, or the risk may be too high.

DIRECTIVE TYPE AND DEFAULT VALUE

Catalog directive

EXAMPLES

Example: Enabling WideOpen directive

Put any of the following lines in catalog.cfg:

WideOpen 1
WideOpen Yes

NOTES

AVAILABILITY

WideOpen is available in Interchange versions:

4.6.0-5.9.0 (git-head)

SOURCE

Interchange 5.9.0:

Source: lib/Vend/Config.pm
Line 656

['WideOpen',     'yesno',            'No'],

Source: lib/Vend/Config.pm
Line 5434 (context shows lines 5434-5446)

sub parse_yesno {
my($var, $value) = @_;
$_ = $value;
if (m/^y/i || m/^t/i || m/^1/ || m/^on/i) {
  return 1;
}
elsif (m/^n/i || m/^f/i || m/^0/ || m/^of/i) {
  return 0;
}
else {
  config_error("Use 'yes' or 'no' for the $var directive\n");
}
}

AUTHORS

Interchange Development Group

SEE ALSO

IpHead(7ic), CreditCardAuto(7ic), CountrySubdomains(7ic), IpQuad(7ic), DomainTail(7ic), TrustProxy(7ic)

DocBook! Interchange!