#511 - Reduce chance of brute force attacks against session generation
-
By Chris Graham
- Added
- 9 views
| Identifier | #511 |
|---|---|
| Issue type | Minor issue (breaks specific functionality) |
| Title | Reduce chance of brute force attacks against session generation |
| Status | Completed |
| Handling member | Chris Graham |
| Version | 8.1 |
| Addon | General / Uncategorised |
| Description | Sessions are generated using mt_rand, seeded via a combination of uniqid and microtime. Some juggling is done, but the only dominant factor is microtime. That means in theory the number of guesses to guess a session are reduced. It is still a huge number, and IP address restriction is in place, but it is better we lay on additional defences here.
So, use openssl_random_pseudo_bytes if it is available. |
| Steps to reproduce | |
| Funded? | No |
| Hotfixes | hotfix-511, 2012-05-27 1pm.tar hotfix-511, 2012-05-27 3pm.tar Only apply these hotfixes if you absolutely need them and cannot wait until the next release of Composr (releases are more reliable and strictly tested). We provide no guarantee that hotfixes will work; they may even break your site especially if a hotfix depends on another hotfix. Always make a site backup if you attempt to apply a hotfix. As of Composr version 11, the recommended way to apply a hotfix is by following the same steps as an upgrade:
For Composr version 10, manually extract the files (e.g., using 7-Zip) and overwrite files in your Composr installation that are older than the ones in the hotfix (check the file modification date/time). Skip hotfix files that do not exist in your installation. |
| Commits |
Comments
Have to not run openssl_random_pseudo_bytes on Windows unfortunately - define special case.