Hello,
when i set manually a known session id into the url field of my browser, i can furtherway substitute and act as the user who owns the session generally without any login+password procedure
is it a little too big security risk ?
asks
Arndt
OTRSSession security risk ?
Moderator: crythias
-
Alexander Halle
- Znuny expert
- Posts: 296
- Joined: 04 Jul 2010, 17:49
- Znuny Version: 3.1.x
- Real Name: Alexander Halle
- Company: radprax MVZ GmbH
- Location: Wuppertal
- Contact:
moved topic
(moved from the developer forum to the appropriate forum)
Alexander Halle
OTRS Community Links: User Meetings, Projects
- Public Relations @ OTRS Community Board / OtterHub
- 2nd-Level Support Agent @ radprax MVZ GmbH
OTRS Community Links: User Meetings, Projects
Re: OTRSSession security risk ?
it seems that you switched of the IP Check for the session handling...
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com