WideOpen — disable IP-based qualification of user sessions (the directive degrades catalog security!)
The WideOpen
directive disables IP-based qualification of user
sessions, and everyone's hostname part of the Interchange cookie is
set to nobody
.
This increases compatibility, but reduces catalog security.
When this directive is enabled, no IP-based checking is done, so anyone guessing and supplying a valid session ID can hijack other client's session.
The option was introduced to achieve more compatibility with old browsers, at
cost of some security. Do not enable it unless your clients experience
problems caused by IP addresses that change from access to access.
Also do not use it unless you are using encryption
(PGP/CreditCardAuto
) or a real-time payment gateway, or the risk may
be too high.
Example: Enabling WideOpen directive
Put any of the following lines in catalog.cfg
:
WideOpen 1 WideOpen Yes
Interchange 5.9.0:
Source: lib/Vend/Config.pm
Line 5434 (context shows lines 5434-5446)
sub parse_yesno { my($var, $value) = @_; $_ = $value; if (m/^y/i || m/^t/i || m/^1/ || m/^on/i) { return 1; } elsif (m/^n/i || m/^f/i || m/^0/ || m/^of/i) { return 0; } else { config_error("Use 'yes' or 'no' for the $var directive\n"); } }