Re: Re: Invision Power Board v2.1.4 - session hijacking
Hans,
My problem with this report is this:
1) You've not even read the IPB code. You've stated elsewhere that "using
sessions in the URL may appear in JS pop-up windows". IPB does NOT do this. IPB
removes the session ID for all links, including JS code when cookies are
enabled.
2) You're missing the point. As stated elsewhere, IPB uses a similar session
tracking method to both PHP's own session handler and other proprietry methods.
3) Security isn't derived from one not being able to authenticate as the user
by knowing their session ID, user IP and user agent - it's by making it
extremely difficult to gather this information in the first place.
Lets look at this objectively. How are you going to know what another users
session ID is unless they post a link to a site they're active on in a blog
entry? Lets say they post a link to a board on their blog entry. First, their
session will expire after 30 minutes of no activity - so a potential hacker has
a 30 minute window to find out their IP address and user agent.
I'm not stupid enough to say that can't be done; but I am realistic to know
that no one is going to go to that trouble when they could invest that time in
attacking the server in other ways.
Finally, I've been using this session code for over 5 years in various products
and I know not of a single case where one has had their session hijacked using
any methods you've stated.
Yes, in an office environment, if one "forgets" to log out and close the
browser window, anyone else who has access to that machine will be logged in as
that user - but that is not IPBs responsibility any more than it is a car
manufacturers responsibility to ensure that a car cannot be stolen when the
alarm is disengaged and the keys in the ignition.
Regards,
Matt