Closed (fixed)
Project:
Secure Pages
Version:
5.x-1.6
Component:
Code
Priority:
Normal
Category:
Feature request
Assigned:
Reporter:
Created:
17 Jul 2008 at 23:02 UTC
Updated:
28 Apr 2009 at 06:10 UTC
Jump to comment: Most recent file
I am working on porting bjaspan's excellent patch to 5.x:
http://drupal.org/node/66970
Without this countermeasure against session hijacking, the protection afforded by securepages is easily bypassed.
| Comment | File | Size | Author |
|---|---|---|---|
| #5 | securepages-284132-5.patch | 8.66 KB | cedarm |
| #1 | securepages-hijack.patch | 4.08 KB | grendzy |
Comments
Comment #1
grendzy commentedOK, here is my port to 5.x-1.6.
I made one improvement from the 4.7 version: the cookie parameters are copied in from the current session. This is mainly useful in setting the expiry time to match the session cookie, which prevents false positives which used to happen if the secure cookie expired before the session cookie.
Comment #2
grendzy commentedComment #3
christefano commentedThanks, grendzy. I'm testing this now on a few sites.
Comment #4
bjaspan commentedsubscribe
Comment #5
cedarm commentedIncorporated changes to D6 patch (#286499-7: (D6) Preventing hijacked sessions from accessing SSL page, comments #5, 6, 7) into this patch. This includes the hook_requirements() in securepages.install.
This applies to securepages 5.x-1.7-beta1.
Comment #6
grendzy commentedsecurepages_prevent_hijack is now available for D5, which provides this enhancement as a module.