Seucrity Threat? Register Global On

[ryoyin]

I found out user can bypass the login page if they know the osCAdminID and type it on URL.
Is this a security threat?

[michael_s]

Not really since they are randomly generated by the server. Kinda hard to know a randomly generated number. You can also change a couple settings in the admin and on the server to hide that id from appearing in the url.

[jpf]

Well they have to figure it out in under 24 mins of when that ID was last used and you did not LOGOUT - or will be no good anyway. Garbage collection would have been done on the session - UNLESS if some one change it to a larger number in php.ini ....ie changed: session.gc_maxlifetime = 1440

That 24 mins also means if your idle for that long you have to re-login - if your editing in WYSIWYG editor - NOTHING is passed to the server until you "submit" your changes....hence you could lose your edit.....

Threat? Only if they have a network sniffer and is actively trying to get into your site....oh then they would have sniffed out the ADMIN user/pass anyway.

Likely - NOT. Possible? Maybe. Chances - VERY REMOTE. Password hacking would be faster/easier......and no needing to be connected downstream of you.

[ryoyin]

oh thx...
so the ID only work for 24 mins.....its good enough....
btw...once I know the ID....I can use it within 24 mins....no matter the admin have changed the pw already.... (well.....not a threat for me....)

[jpf]

oh thx...
so the ID only work for 24 mins.....its good enough....
btw...once I know the ID....I can use it within 24 mins....no matter the admin have changed the pw already.... (well.....not a threat for me....)

Close - not quite. It works as long as you keep the session alive -- 24 hours a day (in theory) if you want. It will EXPIRE after you log out or of 24 mins of inactivity. IE - you have a "feature" installed in the browser to "refresh" the screen after a set time. This will keep the session alive for ever...

Just like the LOST tv show..... every 20 mins press the key....

[ryoyin]

nono, I can use the same ID on another PC without login
url.com: Search with Many
I sent this link to other PC....and I can view the orders page without login..

[michael_s]

Right because the session is still logged in. That is how sessions work. Expire the session by logging out on one machine, and it will no longer work on the other.

What you describe is called session hijacking, by the way and it is nothing new, nor is it anything to be too terribly concerned about. If you are really nervous about it, simply add .htaccess password protection or limit IP access to your admin directory. Then, even if someone has the session, they still also need to have a password or valid IP just to access the directory.

[ryoyin]

I added .htaccess pw protection now
thx ya Michael