#512 - Option for constant session expiry

By Chris Graham
Added 27th May 2012, 9:06 AM
0 views

Identifier	#512
Issue type	Feature request or suggestion
Title	Option for constant session expiry
Status	Closed (rejected)
Tags	Type: Security (custom)
Handling member	Chris Graham
Addon	core
Description	You don't want to have your session ID stolen. Composr does lock them to IP addresses, but if somehow a hacker can run something on your machine or spoof their IP to the server, you'd have a problem. One interesting technique is to change the session ID at every request. Because it is constantly cycling, any out-of-cycle requests (i.e. using a stolen throw-away session ID) would not work. I can't think of any ways this would break stuff, apart from creating a small performance issue. It should not happen for Guest session IDs, that really would be a performance issue.
Steps to reproduce
Funded?	No

The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".

Rating

Unrated

Comments

By Guest posted 17th Aug 2012, 9:17 AM

This has limited use as it is not protective of the last click in the sequence of clicks. A hacker could well do an automated attack between clicks, or gather the session at every click and hence have it after the last one.

By Guest posted 11th Jan 2015, 8:55 AM

Bad idea. Things could easily get out of sync, especially if using multiple browsers.