[ic] New SecureProtect directive to prevent sidejacking

Mike Heins mike at perusion.com
Sat Oct 30 03:51:41 UTC 2010

Quoting Peter (peter at pajamian.dhs.org):
> On 30/10/10 11:28, Josh Lavin wrote:
> > New SecureProtect configuration directive (sidejacking fix)
> > 
> > Author: Mike Heins
> > 
> > This is a defense to "sidejacking", the collection of a session cookie
> > by a host on an unsecure network. When SecureProtect is active, the
> > UserDB login process creates a passhash of the encrypted password. This,
> > along with username, login_table, and a "secret" set in the
> > configuration, is used to check subsequent secure accesses to the catalog.
> This is great.  I've been wanting to implement something like this
> myself for ages but just haven't had the time.
> I take it that this only protects the session for secure pages, so if
> you implement this you should make sure that any important input or
> sharing of private details happens on a secure page (via the
> AlwaysSecure and ExtraSecure directives)?

You also need to have a logged in status to be protected. Obviously
you couldn't get to a secure login page otherwise....

Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.765.328.4479  <mike at perusion.com>

There comes a time when you should stop expecting other people to make
a big deal about your birthday. That time is age 12. -- Dave Barry

More information about the interchange-users mailing list