Subject: The mailing list for listmasters using Sympa
List archive
- From: Serge Aumont <address@concealed>
- To: "Lorenz, Sabine" <address@concealed>
- Cc: address@concealed
- Subject: Re: [sympa-users] Sympa Session breaks
- Date: Wed, 15 Jul 2009 16:48:19 +0200
Lorenz, Sabine wrote:
> Hello,
>
> we upgraded from Sympa version 5.3.3 to version 5.4.7 two weeks ago.
>
> After the update we had the following problem:
> List-owners who logged in via the web-interface and did some action
> where logged off automatically.
> The entry in the sympa log was
> "SympaSession::new ignoring session cookie because remote host is not
> the original host"
> To solve this problem I installed patch 5142
> http://sourcesup.cru.fr/cgi/viewvc.cgi/trunk/wwsympa/SympaSession.pm?r1=
> 5107&r2=5142 and this error didn't appear any more.
>
> Now I found out that there still appears a similar error.
> The session of some list-owners break when they do a certain action.
> The sympa log entries are the following:
Sympa renew the session id (used as client cookie) after each access so
session hijacking is match more difficult. If the client access a page
and renew it before to receive the new cookie value, the session is
broken. You can verify this just reloading a page very quickly.
In order to limit this problem without introducing a security hole,
Sympa does not renew the session id if https is used. You should used
https this will solve this problem.
See : http://en.wikipedia.org/wiki/Session_hijacking#Prevention
Serge
-
[sympa-users] Sympa Session breaks,
Lorenz, Sabine, 07/15/2009
-
Re: [sympa-users] Sympa Session breaks,
Serge Aumont, 07/15/2009
- Re: [sympa-users] Sympa Session breaks, Peter DiCamillo, 07/17/2009
-
Re: [sympa-users] Sympa Session breaks,
Serge Aumont, 07/15/2009
Archive powered by MHonArc 2.6.19+.