Re: Re: Invision Power Board v2.1.4 - session hijacking

[matt () invisionpower com]

Hans,

My problem with this report is this:

1) You've not even read the IPB code. You've stated elsewhere that "using sessions in the URL may appear in JS pop-up 
windows". IPB does NOT do this. IPB removes the session ID for all links, including JS code when cookies are enabled.

2) You're missing the point. As stated elsewhere, IPB uses a similar session tracking method to both PHP's own session 
handler and other proprietry methods.

3) Security isn't derived from one not being able to authenticate as the user by knowing their session ID, user IP and 
user agent - it's by making it extremely difficult to gather this information in the first place.

Lets look at this objectively. How are you going to know what another users session ID is unless they post a link to a 
site they're active on in a blog entry? Lets say they post a link to a board on their blog entry. First, their session 
will expire after 30 minutes of no activity - so a potential hacker has a 30 minute window to find out their IP address 
and user agent.
I'm not stupid enough to say that can't be done; but I am realistic to know that no one is going to go to that trouble 
when they could invest that time in attacking the server in other ways.

Finally, I've been using this session code for over 5 years in various products and I know not of a single case where 
one has had their session hijacked using any methods you've stated.

Yes, in an office environment, if one "forgets" to log out and close the browser window, anyone else who has access to 
that machine will be logged in as that user - but that is not IPBs responsibility any more than it is a car 
manufacturers responsibility to ensure that a car cannot be stolen when the alarm is disengaged and the keys in the 
ignition.

Regards,

Matt