session hijacking

session hijacking

Hannah Smith -
回帖数:3

If someone managed to get hold of the moodle session id cookie for a recently started moodle session, what further checks are there to stop them hijacking the session?

I see IP address is recorded in the log table so this might be one further check, but can this be matched with the session id, particularly if sessions are being recorded in flat files on the server rather than in the database?  

平均分: -
回复Hannah Smith

Re: session hijacking

Iñaki Arenaza -
Core developers的头像 Documentation writers的头像 Peer reviewers的头像 Plugin developers的头像
As far as I know, there are no further checks, except for the administrators' sessions, where a random session key (in addition to the session id) is used.

Saludos. Iñaki.
平均分: -
回复Iñaki Arenaza

Re: session hijacking

Tim Hunt -
Core developers的头像 Documentation writers的头像 Particularly helpful Moodlers的头像 Peer reviewers的头像 Plugin developers的头像
Sesskey is used pretty much everywhere, not just for admins.

If you really care about security, you will use HTTPS.

We really need Petr Skoda to see this thread, he knows most about Moodle security.
平均分: -
回复Tim Hunt

Re: session hijacking

Petr Skoda -
Core developers的头像 Documentation writers的头像 Particularly helpful Moodlers的头像 Peer reviewers的头像 Plugin developers的头像
hi!

If somebody gets your cookies, there is not much you can do - it could be either obtained from the data stream or through javascript. In the first case she/he could probably see the plain text password too if https not used. In the other case js could be used to do anything anyway.

The problem with IP addresses is that they can change - for example some providers (AOL) use strange load balancing proxies, expired dhcp leases, etc.

Some general recommendations are here: http://docs.moodle.org/en/Security

skodak
平均分: -