View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000708 | Composr | core | public | 2012-07-28 20:45 | 2014-10-09 13:15 |
Reporter | Chris Graham | Assigned To | Chris Graham | ||
Severity | feature | ||||
Status | resolved | Resolution | fixed | ||
Product Version | |||||
Fixed in Version | |||||
Summary | 0000708: Increase complexity of session IDs | ||||
Description | If someone disables the "Enforce IP addresses for sessions" option, then a brute-force hack-attack (executing within a timeframe of an admin having been active) could steal the admin login. The brute-force would need to last roughly 11-days (if 10 requests per second): (10^7)/(10*3600*24) The default session expiry time is significantly less than this. The following conjunction of events would make a site vulnerable: - A hacker attacking a site - Run by someone who wasn't noticing the ramp-up in (suspicious) hits - Run by someone who'd disabled the "Enforce IP addresses for sessions" option - A persistent attack lasting months (multiples of 11-days, hoping for an overlap between guessing a session ID and that session ID having not yet expired) If we increase the session ID complexity we can reduce the likelihood of a guess significantly. | ||||
Tags | No tags attached. | ||||
Attach Tags | |||||
Time estimation (hours) | 8 | ||||
Sponsorship open | |||||