[ic] New SecureProtect directive to prevent sidejacking

Mike Heins mike at perusion.com
Sat Oct 30 03:57:39 UTC 2010

Quoting Peter (peter at pajamian.dhs.org):
> On 30/10/10 11:28, Josh Lavin wrote:
> > New SecureProtect configuration directive (sidejacking fix)
> > 
> > Author: Mike Heins
> > 
> > This is a defense to "sidejacking", the collection of a session cookie
> > by a host on an unsecure network. When SecureProtect is active, the
> > UserDB login process creates a passhash of the encrypted password. This,
> > along with username, login_table, and a "secret" set in the
> > configuration, is used to check subsequent secure accesses to the catalog.
> This is great.  I've been wanting to implement something like this
> myself for ages but just haven't had the time.

It is a starting point. I have already identified at least one
more configuration option, which would be TTTTT_page where 
TTTTT is the login table. This would allow you to have different
re-authentication pages for different roles.

Also, we should scrub the "passhash" at logout. It isn't really
that insecure to show it, as a crypted value is then MD5ed, but 
it still probably shouldn't remain in the session after logout.

Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.765.328.4479  <mike at perusion.com>

There comes a time when you should stop expecting other people to make
a big deal about your birthday. That time is age 12. -- Dave Barry

More information about the interchange-users mailing list