Check out the SMF Function DB!
Started by Eloi, May 24, 2012, 06:24:48 PM
Quote from: Arantor on May 24, 2012, 06:35:03 PMSession IDs are not accepted for logged in users when supplied via URL to prevent session fixation.
QuoteExcept when user has cookies blocked, when it has to be sent through URL.
QuoteSession fixation is still possible if someone listens to connection and intercepts a cookie, so in which cases does what you have described prevent it?
Quote from: Arantor on May 25, 2012, 06:56:01 AMNo, even then it's not permitted, as far as I remember, such that logins explicitly require cookies.
Quote from: Arantor on May 25, 2012, 06:56:01 AMMind you, you seem to believe it's possible to secure these things, I'd love to hear what you think should be done.
Quote from: Arantor on May 24, 2012, 06:35:03 PMSession IDs are not accepted for logged in users when supplied via URL to prevent session fixation. There are not checks against IP address (for the obvious reason) but I believe that there are circumstances where user agent is verified between requests.
QuotephpBB has "Session IP validation:" options in the Security settings. where you can match against part of or the entire IP address.
QuoteThe other phpbb security checks were: "Validate X_FORWARDED_FOR header", "Validate Referer:",
Quoteand mybb has this option:"Do you want to check a user's IP address for HTTP_X_FORWARDED_FOR or HTTP_X_REAL_IP headers? If you're unsure, set this to no."