Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature session ip #259

Merged
merged 14 commits into from
Dec 29, 2015
Merged

Feature session ip #259

merged 14 commits into from
Dec 29, 2015

Conversation

Fasse
Copy link
Member

@Fasse Fasse commented Dec 27, 2015

#227 + #257

  • check ip-address
  • refresh auto login on every script call
  • delete all auto login of user on invalid auto login id

@Fasse
Copy link
Member Author

Fasse commented Dec 27, 2015

@ximex can you review the code?

@ximex ximex added this to the v3.1 milestone Dec 27, 2015
@ximex
Copy link
Member

ximex commented Dec 28, 2015

here the params to change the length of the session_id:

ini_set('session.hash_function', '1');
ini_set('session.hash_bits_per_character', 6);

maybe we should set them. the first one should made the session more secure (better hashing algo)

Table columns with session Id should be 40 chars.

Use secure random gen for generating the auto login id. (look at passwordhasing class)

@ximex
Copy link
Member

ximex commented Dec 28, 2015

fixed the 35/40 chars session_id partly here: 96b7055

ximex
ximex reviewed Dec 29, 2015
View reviewed changes
adm_program/system/classes/session.php
* Return the organization id of this session. If AutoLogin is enabled then the
* organization may not be the organization of the config.php because the
* user had set the AutoLogin to a different organization.
*/
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add:
* @return int Returns the organization id of this session
change:

if(is_object($this->mAutoLogin))
{
    return (int) $this->mAutoLogin->getValue('atl_org_id');
}
else
{
    return (int) $this->getValue('ses_org_id');
}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@Fasse
Copy link
Member Author

Fasse commented Dec 29, 2015

Than we can merge.

Fasse added a commit that referenced this pull request Dec 29, 2015
@Fasse
Merge pull request #259 from Admidio/feature-session-ip
1b75e20 
Feature session ip
@Fasse Fasse merged commit 1b75e20 into master Dec 29, 2015
@ximex ximex deleted the feature-session-ip branch December 29, 2015 20:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@Fasse Fasse

Labels
enhancement system
Projects
Improve Security
  
Done
Milestone
v3.1
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Fasse @ximex