http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=5511
--- Comment #8 from Frère Sébastien Marie <[email protected]> --- (En réponse au commentaire 7) > One of our customers ran into this recently. Given the continued existence > of things like web proxy farms that can result in REMOTE_ADDR changing from > request to request, a general question -- are there any improvements in the > state of the art for anti-session-hijacking measures that would reasonably > allow us to remove the IP address check (or implement a syspref like Amit's > patch tried)? If I remember well, the patch disable by default IP restriction. It is bad: hijacking will be easy (just need to steal cookie, with XSS for example). > IMO, a "restrict session by this IP ? Y/n" widget on the login form doesn't > seem like a friendly UI choice. but bugzilla propose the same on logon (and advice that is better to run with). It should be ok with a system with a syspref "session restriction by IP" - always (and no choice at logon) - yes (choice at logon and yes by default) - no (choice at logon and no by default) - never (and no choice at logon) -- You are receiving this mail because: You are the QA Contact for the bug. You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
