mahara-contributors team mailing list archive

Thread
Date

[Bug 888424] Re: Warn admins if session.entropy_length is < 16

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Melissa Draper <melissa@xxxxxxxxxxxxx>
Date: Wed, 18 Apr 2012 02:27:54 -0000
Reply-to: Bug 888424 <888424@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: mahara
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/888424

Title:
  Warn admins if session.entropy_length is < 16

Status in Mahara ePortfolio:
  Fix Released

Bug description:
  The session.entropy_length variable in php.ini controls how much
  entropy is used when generating session keys:

    http://nz.php.net/manual/en/session.configuration.php#ini.session
  .entropy-length

  OWASP recommends that session keys contain at least 128 bits (16
  bytes) of entropy so we should print a warning on the admin page to
  let admins know that they should set this variable to a larger number
  (it unfortunately defaults to 0).

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/888424/+subscriptions

References

[Bug 888424] [NEW] Warn admins if session.entropy_length is < 16
From: François Marier, 2011-11-10