Jump to content

Is it possible to go to cookie based session handling?


Srinath

Recommended Posts


The public side of our software does use cookie based sessions. The AdminCP does not for security.




Is there any way to implement cookie based session handling in ACP? I'm not concerned about security for my site (no kidding! %7Boption%7D ), since I already renamed the ACP folder, .htaccess folder protection along with implemented SSL on entire ACP.
Link to comment
Share on other sites

  • Management


can anyone elaborate on this please. I'm not sure why is it more secure to use url based session for ACP



Cookies are designed to remember your login state whereas the ACP does not ever remember your login state. This forces you to login again and therefore creates another layer of protection for the ACP. It also means that XSS is not possible in the ACP since a blind link redirect or something like that couldn't work since the ACP doesn't know who you are until you login.
Link to comment
Share on other sites


Cookies are designed to remember your login state whereas the ACP does not ever remember your login state. This forces you to login again and therefore creates another layer of protection for the ACP. It also means that XSS is not possible in the ACP since a blind link redirect or something like that couldn't work since the ACP doesn't know who you are until you login.




but when I copy an ACP link from chrome to firefox, I find myself already logged in without invitation. That means someone using the same WAP IP as mine could potentially access my ACP if he/she managed to sniff an ACP from me?
Link to comment
Share on other sites

But it's uncommon for someone else to have the same IP address as you. That would only come up in a public wifi hotspot or similar situation, and you should already be cautious transmitting sensitive data over public wifi networks.

IP address is checked when validating the session, so it's not generally possible to just steal a link and get into the ACP from a different computer.

Link to comment
Share on other sites


But it's uncommon for someone else to have the same IP address as you. That would only come up in a public wifi hotspot or similar situation, and you should already be cautious transmitting sensitive data over public wifi networks.



IP address is checked when validating the session, so it's not generally possible to just steal a link and get into the ACP from a different computer.




thanks :)
does IPB checks the x-forward for IP or just the WAN IP? I know the first one can be forged.

The irony here is that I AM currently using a public wi-fi. I should be cautious then :ninja:
Link to comment
Share on other sites

  • Management

I would just use the tool in the security centre to set up a .htaccess password on the admin directory so even if someone did manage to somehow get your session key, they would need to enter an authentication password to get in.

Link to comment
Share on other sites


I would just use the tool in the security centre to set up a .htaccess password on the admin directory so even if someone did manage to somehow get your session key, they would need to enter an authentication password to get in.




I have that and also I've set-up an IP based restriction and configured CSF to ban any IP that fails to authenticate himself more than 5 times.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...