The mailing list for listmasters using Sympa

[Serge Aumont <address@concealed>]

Lorenz, Sabine wrote:
> Hello,
>
> we upgraded from Sympa version 5.3.3 to version 5.4.7 two weeks ago.
>
> After the update we had the following problem: 
> List-owners who logged in via the web-interface and did some action
> where logged off automatically.
> The entry in the sympa log was 
> "SympaSession::new ignoring session cookie because remote host is not
> the original host"
> To solve this problem I installed patch 5142
> http://sourcesup.cru.fr/cgi/viewvc.cgi/trunk/wwsympa/SympaSession.pm?r1=
> 5107&r2=5142 and this error didn't appear any more. 
>
> Now I found out that there still appears a similar error.
> The session of some list-owners break when they do a certain action.
> The sympa log entries are the following:
Sympa renew the session id (used as client cookie) after each access so
session hijacking is match more difficult. If the client access a page
and renew it before to receive the new cookie value, the session is
broken. You can verify this just reloading a page very quickly.

In order to limit this problem without introducing a security hole,
Sympa does not renew the session id if https is used. You should used
https this will solve this problem.
See : http://en.wikipedia.org/wiki/Session_hijacking#Prevention

Serge