Jump to content


Photo
- - - - -

Is it possible to go to cookie based session handling?


  • Please log in to reply
19 replies to this topic

#1 Srinath

Srinath

    Advanced Member

  • Previous Members
  • PipPipPipPip
  • 220 posts

Posted 16 September 2011 - 09:41 AM

Hello,

Is it possible to go to Cookie based session handling intead of default URL based? I got a responce from Ryan before here: http://community.inv...ost__p__2154327

Any further information would be appreciated. Thank you.

#2 Kessler

Kessler

    You don't know me.

  • +Clients
  • 4,704 posts

Posted 16 September 2011 - 04:07 PM

I've moved your topic to the IP.Board Feedback forum. The developers will be able to better explain the reasoning behind using URLs for session ID's.
  • Srinath likes this

Please direct questions, comments and support requests to the appropriate locations
Customer Forums ~ Bug Tracker ~ Client Area Support
Pre-Sales ~ Feedback Forums ~ Modifications ~ Skinning
Submitting support tickets


#3 Charles

Charles

    Needs Life

  • IPS Management
  • 9,033 posts

Posted 16 September 2011 - 05:00 PM

The public side of our software does use cookie based sessions. The AdminCP does not for security.

Charles Warner
Invision Power Services, Inc. - President
charles.warner@invisionpower.com

 

Please do not PM me but feel free to contact me by email.


#4 Srinath

Srinath

    Advanced Member

  • Previous Members
  • PipPipPipPip
  • 220 posts

Posted 16 September 2011 - 05:19 PM

The public side of our software does use cookie based sessions. The AdminCP does not for security.


Is there any way to implement cookie based session handling in ACP? I'm not concerned about security for my site (no kidding! Posted Image ), since I already renamed the ACP folder, .htaccess folder protection along with implemented SSL on entire ACP.

#5 Charles

Charles

    Needs Life

  • IPS Management
  • 9,033 posts

Posted 16 September 2011 - 05:23 PM

There's no way that I know of. The ACP side doesn't even check for cookies :)

Charles Warner
Invision Power Services, Inc. - President
charles.warner@invisionpower.com

 

Please do not PM me but feel free to contact me by email.


#6 .time

.time

    Spam Happy

  • Members
  • PipPipPipPipPip
  • 768 posts

Posted 16 September 2011 - 05:24 PM

Not to be blunt, but does it really matter?

#7 Srinath

Srinath

    Advanced Member

  • Previous Members
  • PipPipPipPip
  • 220 posts

Posted 16 September 2011 - 05:37 PM

Not to be blunt, but does it really matter?


:no:

#8 bfarber

bfarber

    RBT-KS

  • IPS Management
  • 28,619 posts

Posted 19 September 2011 - 12:22 PM

Not to be blunt, but does it really matter?


I am also curious, however I'd reword the question.

What is the reason that it matters whether the ACP uses cookie or URL based session handling?

Brandon Farber
Development Manager / Senior Support

If it sounds like fun, it's not allowed on the bus!

php5_zce_logo_new.gif     

Invision Power Services, Inc.


#9 Enkidu

Enkidu

    IP.Badass

  • Members
  • PipPipPipPipPipPip
  • 2,243 posts

Posted 19 September 2011 - 12:27 PM

The public side of our software does use cookie based sessions. The AdminCP does not for security.


can anyone elaborate on this please. I'm not sure why is it more secure to use url based session for ACP

See my other mods here

Latest: Adf.ly integration


#10 Charles

Charles

    Needs Life

  • IPS Management
  • 9,033 posts

Posted 19 September 2011 - 12:36 PM


can anyone elaborate on this please. I'm not sure why is it more secure to use url based session for ACP

Cookies are designed to remember your login state whereas the ACP does not ever remember your login state. This forces you to login again and therefore creates another layer of protection for the ACP. It also means that XSS is not possible in the ACP since a blind link redirect or something like that couldn't work since the ACP doesn't know who you are until you login.

Charles Warner
Invision Power Services, Inc. - President
charles.warner@invisionpower.com

 

Please do not PM me but feel free to contact me by email.


#11 Enkidu

Enkidu

    IP.Badass

  • Members
  • PipPipPipPipPipPip
  • 2,243 posts

Posted 19 September 2011 - 12:41 PM

Cookies are designed to remember your login state whereas the ACP does not ever remember your login state. This forces you to login again and therefore creates another layer of protection for the ACP. It also means that XSS is not possible in the ACP since a blind link redirect or something like that couldn't work since the ACP doesn't know who you are until you login.


but when I copy an ACP link from chrome to firefox, I find myself already logged in without invitation. That means someone using the same WAP IP as mine could potentially access my ACP if he/she managed to sniff an ACP from me?

See my other mods here

Latest: Adf.ly integration


#12 bfarber

bfarber

    RBT-KS

  • IPS Management
  • 28,619 posts

Posted 20 September 2011 - 08:55 AM

But it's uncommon for someone else to have the same IP address as you. That would only come up in a public wifi hotspot or similar situation, and you should already be cautious transmitting sensitive data over public wifi networks.

IP address is checked when validating the session, so it's not generally possible to just steal a link and get into the ACP from a different computer.

Brandon Farber
Development Manager / Senior Support

If it sounds like fun, it's not allowed on the bus!

php5_zce_logo_new.gif     

Invision Power Services, Inc.


#13 Enkidu

Enkidu

    IP.Badass

  • Members
  • PipPipPipPipPipPip
  • 2,243 posts

Posted 20 September 2011 - 09:00 AM

But it's uncommon for someone else to have the same IP address as you. That would only come up in a public wifi hotspot or similar situation, and you should already be cautious transmitting sensitive data over public wifi networks.

IP address is checked when validating the session, so it's not generally possible to just steal a link and get into the ACP from a different computer.


thanks :)
does IPB checks the x-forward for IP or just the WAN IP? I know the first one can be forged.

The irony here is that I AM currently using a public wi-fi. I should be cautious then :ninja:

See my other mods here

Latest: Adf.ly integration


#14 Charles

Charles

    Needs Life

  • IPS Management
  • 9,033 posts

Posted 20 September 2011 - 12:57 PM


thanks :smile:
does IPB checks the x-forward for IP or just the WAN IP? I know the first one can be forged.

The irony here is that I AM currently using a public wi-fi. I should be cautious then :ninja:

There's a setting to check x-forward.

Charles Warner
Invision Power Services, Inc. - President
charles.warner@invisionpower.com

 

Please do not PM me but feel free to contact me by email.


#15 Matt

Matt

    Chief Software Architect

  • IPS Management
  • 26,142 posts

Posted 21 September 2011 - 02:09 AM

As others have said, the only way to 'steal' a session in the ACP is if you handed out a URL. I can't think of a single reason why you would do that.

Matt Mecham
Invision Power Services, Inc.
"I love deadlines. I especially like the whooshing sound they make as they go flying by."
-- Douglas Adams (1952 - 2001)


#16 Srinath

Srinath

    Advanced Member

  • Previous Members
  • PipPipPipPip
  • 220 posts

Posted 21 September 2011 - 11:32 AM

Interesting discussions ... I'm using SSL on ACP and it does really matter for me? :no: I don't think so, even though I posted the question! :laugh:

#17 Matt

Matt

    Chief Software Architect

  • IPS Management
  • 26,142 posts

Posted 22 September 2011 - 04:09 AM

I would just use the tool in the security centre to set up a .htaccess password on the admin directory so even if someone did manage to somehow get your session key, they would need to enter an authentication password to get in.
  • Srinath likes this

Matt Mecham
Invision Power Services, Inc.
"I love deadlines. I especially like the whooshing sound they make as they go flying by."
-- Douglas Adams (1952 - 2001)


#18 Enkidu

Enkidu

    IP.Badass

  • Members
  • PipPipPipPipPipPip
  • 2,243 posts

Posted 22 September 2011 - 06:30 AM

I would just use the tool in the security centre to set up a .htaccess password on the admin directory so even if someone did manage to somehow get your session key, they would need to enter an authentication password to get in.


I have that and also I've set-up an IP based restriction and configured CSF to ban any IP that fails to authenticate himself more than 5 times.
  • Srinath likes this

See my other mods here

Latest: Adf.ly integration


#19 Srinath

Srinath

    Advanced Member

  • Previous Members
  • PipPipPipPip
  • 220 posts

Posted 29 September 2011 - 12:44 AM

Is there anyway to implement "nice user interface" for .htaccess login on ACP?

#20 CalendarOfUpdates

CalendarOfUpdates

    Advanced Member

  • +Clients
  • 361 posts

Posted 29 September 2011 - 09:15 AM

Is there anyway to implement "nice user interface" for .htaccess login on ACP?

No, that is controlled by the browser.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users