mahara-contributors team mailing list archive
-
mahara-contributors team
-
Mailing list archive
-
Message #06826
[Bug 888424] A change has been merged
Reviewed: https://reviews.mahara.org/843
Committed: http://gitorious.org/mahara/mahara/commit/c7a0ed9a19097fa7154b446a4415d02f34015a42
Submitter: Hugh Davenport (hugh@xxxxxxxxxxxxxxx)
Branch: master
commit c7a0ed9a19097fa7154b446a4415d02f34015a42
Author: Francois Marier <francois@xxxxxxxxxxxxxxx>
Date: Fri Nov 11 15:03:18 2011 +1300
Add admin warning for entropy_length (bug #888424)
This is based on an OWASP recommendation and corresponds to 128
bits of entropy.
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Properties
Change-Id: Ie47779d586c39bc339728e4772467407fac90ee4
Signed-off-by: Francois Marier <francois@xxxxxxxxxxxxxxx>
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/888424
Title:
Warn admins if session.entropy_length is < 16
Status in Mahara ePortfolio:
In Progress
Bug description:
The session.entropy_length variable in php.ini controls how much
entropy is used when generating session keys:
http://nz.php.net/manual/en/session.configuration.php#ini.session
.entropy-length
OWASP recommends that session keys contain at least 128 bits (16
bytes) of entropy so we should print a warning on the admin page to
let admins know that they should set this variable to a larger number
(it unfortunately defaults to 0).
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/888424/+subscriptions
References