Questions answered by this recipe
Can I make my wiki more secure?
Session theft is one method of impersonation. More details are explained in session security advice.
This recipe makes both attacks a bit harder by verifying some HTTP meta data in addition to the session key: It restricts the session validity to its original IP (subnet) and the same browser name. An attacker would have to fake both in order to steal a session. This recipe is good to use if you have a person login (for example with AuthUser) or use a password to change your wiki.
There are 2 steps to installing SessionGuard.
(:notitle:) !!Your login information seems to be invalid. Technical details: Your session ID seems to belong to another user. Return to [[Main/HomePage|Home]].
Use "require" and not "include" - "For security stuff, always require."
This program is free software.
You can redistribute it and/or modify it under
the terms of the GNU General Public License as
published by the Free Software Foundation
http://www.fsf.org either version 2 of the
License, or (at your option) any later version.
Copyright 2007 by GNUZoo
Please email to arrange a donation to the author: guru [snail] gnuzoo [period] org
- Version 2.2 - Change pagename reference Site.SuspicionOfSessionTheft to Site.InvalidLoginInformation
- Version 2.1 - added "if (!defined('PmWiki')) exit();"
- Version 2.0 - renamed - old LoginGuard obsolete
- Version 1.0 - Initial Release
Sven created initial code