#708 - Increase complexity of session IDs

By Chris Graham
Added 28th Jul 2012, 4:45 PM
18 views

Identifier	#708
Issue type	Feature request or suggestion
Title	Increase complexity of session IDs
Status	Completed
Handling member	Chris Graham
Addon	core
Description	If someone disables the "Enforce IP addresses for sessions" option, then a brute-force hack-attack (executing within a timeframe of an admin having been active) could steal the admin login. The brute-force would need to last roughly 11-days (if 10 requests per second): (10^7)/(10360024) The default session expiry time is significantly less than this. The following conjunction of events would make a site vulnerable: - A hacker attacking a site - Run by someone who wasn't noticing the ramp-up in (suspicious) hits - Run by someone who'd disabled the "Enforce IP addresses for sessions" option - A persistent attack lasting months (multiples of 11-days, hoping for an overlap between guessing a session ID and that session ID having not yet expired) If we increase the session ID complexity we can reduce the likelihood of a guess significantly.
Steps to reproduce
Funded?	No

The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".

Rating

Unrated

Comments

By Guest posted 28th Jul 2012, 4:52 PM

Additionally, disabling "Enforce IP addresses for sessions" is bad because if someone does manage to intercept or steal your session ID, they can use that directly. They should not be able to do, but it is better safe than sorry.

By Guest posted 29th Jan 2025, 12:42 PM

Side note: Session ID complexity was increased even further in v11.

In v10, IDs were 13 character hexadecimals (base 16). In v11, it has been increased to 13-character base 32 (0-9 and a-z except 0, o, 1, and l).