View Issue Details

IDProjectCategoryView StatusLast Update
0000708Composrcorepublic2014-10-09 13:15
ReporterChris GrahamAssigned ToChris Graham 
Status resolvedResolutionfixed 
Product Version 
Fixed in Version 
Summary0000708: Increase complexity of session IDs
DescriptionIf someone disables the "Enforce IP addresses for sessions" option, then a brute-force hack-attack (executing within a timeframe of an admin having been active) could steal the admin login.

The brute-force would need to last roughly 11-days (if 10 requests per second): (10^7)/(10*3600*24)
The default session expiry time is significantly less than this.

The following conjunction of events would make a site vulnerable:
 - A hacker attacking a site
 - Run by someone who wasn't noticing the ramp-up in (suspicious) hits
 - Run by someone who'd disabled the "Enforce IP addresses for sessions" option
 - A persistent attack lasting months (multiples of 11-days, hoping for an overlap between guessing a session ID and that session ID having not yet expired)

If we increase the session ID complexity we can reduce the likelihood of a guess significantly.
TagsNo tags attached.
Attach Tags
Time estimation (hours)8
Sponsorship open


Chris Graham

2012-07-28 20:52

administrator   ~0000787

Additionally, disabling "Enforce IP addresses for sessions" is bad because if someone does manage to intercept or steal your session ID, they can use that directly. They should not be able to do, but it is better safe than sorry.

Issue History

Date Modified Username Field Change