View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 708 | Composr | core | public | 2012-07-28 20:45 | 2025-01-29 17:42 |
| Reporter | Chris Graham | Assigned To | Chris Graham | ||
| Priority | normal | Severity | feature | ||
| Status | resolved | Resolution | fixed | ||
| Summary | 708: Increase complexity of session IDs | ||||
| Description | If someone disables the "Enforce IP addresses for sessions" option, then a brute-force hack-attack (executing within a timeframe of an admin having been active) could steal the admin login. The brute-force would need to last roughly 11-days (if 10 requests per second): (10^7)/(10*3600*24) The default session expiry time is significantly less than this. The following conjunction of events would make a site vulnerable: - A hacker attacking a site - Run by someone who wasn't noticing the ramp-up in (suspicious) hits - Run by someone who'd disabled the "Enforce IP addresses for sessions" option - A persistent attack lasting months (multiples of 11-days, hoping for an overlap between guessing a session ID and that session ID having not yet expired) If we increase the session ID complexity we can reduce the likelihood of a guess significantly. | ||||
| Tags | No tags attached. | ||||
| Attach Tags | |||||
| Time estimation (hours) | 8 | ||||
| Sponsorship open | |||||
|
|
Additionally, disabling "Enforce IP addresses for sessions" is bad because if someone does manage to intercept or steal your session ID, they can use that directly. They should not be able to do, but it is better safe than sorry. |
|
|
Side note: Session ID complexity was increased even further in v11. In v10, IDs were 13 character hexadecimals (base 16). In v11, it has been increased to 13-character base 32 (0-9 and a-z except 0, o, 1, and l). |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-01-29 17:42 | PDStig | Note Added: 0009792 |
