Preventing hijacked sessions from accessing SSL page
grendzy - July 17, 2008 - 23:02
| Project: | Secure Pages |
| Version: | 5.x-1.6 |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | grendzy |
| Status: | closed |
Description
I am working on porting bjaspan's excellent patch to 5.x:
http://drupal.org/node/66970
Without this countermeasure against session hijacking, the protection afforded by securepages is easily bypassed.
#1
OK, here is my port to 5.x-1.6.
I made one improvement from the 4.7 version: the cookie parameters are copied in from the current session. This is mainly useful in setting the expiry time to match the session cookie, which prevents false positives which used to happen if the secure cookie expired before the session cookie.
#2
#3
Thanks, grendzy. I'm testing this now on a few sites.
#4
subscribe
#5
Incorporated changes to D6 patch (#286499-7: (D6) Preventing hijacked sessions from accessing SSL page, comments #5, 6, 7) into this patch. This includes the hook_requirements() in securepages.install.
This applies to securepages 5.x-1.7-beta1.
#6
securepages_prevent_hijack is now available for D5, which provides this enhancement as a module.
#7
Automatically closed -- issue fixed for 2 weeks with no activity.