SESSION_CHECK_ADDRESS removed

Support requests, bug reports, etc. go here. Dedicated servers / VDS hosting only
natan
Bear Rating Trainee
Bear Rating Trainee
Posts: 5
Joined: 26 Jul 2013, 17:28

SESSION_CHECK_ADDRESS removed

Postby natan » 27 Sep 2016, 18:20

Good day!
Found
https://tt-rss.org/gitlab/fox/tt-rss/commit/f5e66c439e9c8881d745499243341b4095274c12

But cat not find at forum why you did that.

As I can see validate_session() (in current git version) does not uses ip and user-agent checks.

Sorry, if smb already asked it, but I have not found it.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: SESSION_CHECK_ADDRESS removed

Postby fox » 27 Sep 2016, 18:46

well on top of my head because it has problems with forward proxies/load balancers

same with user agent checking, it was also a stupid and pointless thing

natan
Bear Rating Trainee
Bear Rating Trainee
Posts: 5
Joined: 26 Jul 2013, 17:28

Re: SESSION_CHECK_ADDRESS removed

Postby natan » 27 Sep 2016, 18:53

In my mind it is strange to delete security feature, if it can be disabled in config (ip check for example).
Now I'll have paranoid feeling, that my session is unsecured and it can be used by everybody, who got sessid.

Thanks.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: SESSION_CHECK_ADDRESS removed

Postby fox » 27 Sep 2016, 20:14

there was no real security to be gained with those checks, only non-obvious headaches for people not using a standard cookie-cutter LAMP setup. you should be using SSL instead.

>Now I'll have paranoid feeling, that my session is unsecured and it can be used by everybody, who got sessid.

consider consulting a medical professional if you experience paranoia. i'm sure they got pills for that.


Return to “Support”

Who is online

Users browsing this forum: No registered users and 8 guests