session hijacking

session hijacking

Hannah Smith
Vastuste arv 3

If someone managed to get hold of the moodle session id cookie for a recently started moodle session, what further checks are there to stop them hijacking the session?

I see IP address is recorded in the log table so this might be one further check, but can this be matched with the session id, particularly if sessions are being recorded in flat files on the server rather than in the database?  

Keskmine hinnang: -
Vastuses Hannah Smith

Re: session hijacking

Iñaki Arenaza
Core developers pilt Documentation writers pilt Peer reviewers pilt Plugin developers pilt
As far as I know, there are no further checks, except for the administrators' sessions, where a random session key (in addition to the session id) is used.

Saludos. Iñaki.
Keskmine hinnang: -
Vastuses Iñaki Arenaza

Re: session hijacking

Tim Hunt
Core developers pilt Documentation writers pilt Particularly helpful Moodlers pilt Peer reviewers pilt Plugin developers pilt
Sesskey is used pretty much everywhere, not just for admins.

If you really care about security, you will use HTTPS.

We really need Petr Skoda to see this thread, he knows most about Moodle security.
Keskmine hinnang: -
Vastuses Tim Hunt

Re: session hijacking

Petr Skoda
Core developers pilt Documentation writers pilt Particularly helpful Moodlers pilt Peer reviewers pilt Plugin developers pilt
hi!

If somebody gets your cookies, there is not much you can do - it could be either obtained from the data stream or through javascript. In the first case she/he could probably see the plain text password too if https not used. In the other case js could be used to do anything anyway.

The problem with IP addresses is that they can change - for example some providers (AOL) use strange load balancing proxies, expired dhcp leases, etc.

Some general recommendations are here: http://docs.moodle.org/en/Security

skodak
Keskmine hinnang: -