[ic] Admin/Login Bug?!

[Greg Goble]

Jonathan Clark wrote:
> > > > >
> > > > > Here's a URL to IC's demo1 admin area. See if you get prompted
> > > > > for the username & password.
> > > > >
> http://demo.icdevgroup.org/i/demo1/admin/customer.html?showactive=
> > > > > 1&id=TwXw32cc&mv_pc=17
> > > > >
> > > > > Granted if the IC's demo1 clears its session ID's
> between now and
> > > > > the you all receive it, it may not work. So try it yourself.
> > > > >
> > > > > Immediate attention, clarification and support is greatly
> > > appreciated.
> > > >
> > > > I'm pretty sure Interchange's session handling stops
> > > session hyjacking in
> > > > the way you describe. Granted, if you disable cookies and
> > > run your tests on
> > > > the same machine (same IP address) you may appear to be
> > > hyjacking a session.
> > >
> > > This is true, and it is why we have the IP address
> > > qualification turned on
> > > by default.
> > >
> > > If you set WideOpen Yes, you can do it. Which is why I suggest
> > > lowering SessionExpire to 20 minutes or less if you run WideOpen.
> > >
> > > You can reduce your exposure to this by running the UI via
> > > https.
> >
> > IC Team,
> >
> > First of all, thanks to all of you for your inputs. Issues on
> > security should also raise an eyebrow or two, especially the
> > seriousness of it and the more opinions/experience
> expressed the better.
> >
> > At least now I know it is/was an 'issue', it has been addressed
> > and lastly there are ways to address it.
>
> Is/was an issue? I disagree with this. The behaviour you are
> experiencing is
> as expected, and I would not consider that the same person,
> revisiting the
> same site and getting the same session is an _issue_, I would
> consider it
> desirable. In fact, imagine that this _never_ happened.. that would in
> effect mean each page request would be considered a new visitor to the
> site - the net result would be no sessions at all.
>
> >
> > Oddly enough, I don't see OpenWide in my catalog.cfg (or
> > intechange.cfg). I was expecting to see either OpenWide No
> or Yes set,
> > according to Mike's & Ed's remarks. If not/not having the latter
> > listed in my catalog.cfg is the same as OpenWide No then I'm okay
> > with that. Can someone confirm this, please. I also do not have
> > SessionExpire in my catalog.cfg. Should I?
>
> The default for WideOpen is No, so not having the directive
> at all is the
> more secure setting.
>
> Using SessionExpire is a way of reducing the life of a session. If you
> visited your site, put something in the cart, went for a cup
> of tea and came
> back, would you expect the item to still be in the cart? I
> would. If I came
> back the next day I would not expect it to be there though.
>
> What Mike was saying is that reducing this value means less
> time for someone
> hyjacking a session (where WideOpen is Yes) to get in.

Jonathan,

Thanks for bringing this to an end. It's very clear now. Of course, I would expect the item to sill be in the cart if I went for a
tea suggesting that I'm still using the same IP when the IC OpenWide is No.

Q: If I had a dedicated IP address at home, which I do, should I expect the next day that my item is still in my cart. Not according
to Joachim's recent post. I'm under the impression that I better limit my tea breaks to 1 hour! :-)

Seriously though folks, this helps a lot (thanks), because in my domain my admin/users would like to swap their URLs to display
specific contents, orders, etc. with one another, however, the thought that others outside our domain might get access/hijack the
urls raised some concern.

Many thanks! Keep up the good work!

Greg G.