PmWiki | Cookbook / SessionGuard

Summary: Protects againt Session Theft (whatever that is)

Version: 2.2

Prerequisites: AuthUser

Status: Working

Maintainer: JB & Sven

Categories: Security

Downloads: SessionGuard.php Δ

Questions answered by this recipe

Can I make my wiki more secure?

Description

This recipe will make a wiki more secure. It binds the session to its original IP (subnet). It also binds the browser name. An attacker would have to fake both in order to steal a session. This recipe is good to use if you have a person login (for example with AuthUser) or uses a password to change your wiki.

Installation

There are 2 steps to installing SessionGuard.

Step 1

Create a page call "Site.InvalidLoginInformation". You can customize this page any way you want.

Someone might put:

(:notitle:)
!!Your login information seems to be invalid.

Technical details: Your session ID seems to belong to another user.

Return to [[Main/HomePage|Home]].

In mine I put:

(:redirect Main.HomePage:)

Step 2

Copy SessionGuard.php Δ to your cookbook directory.

If you are using AuthUser place this before it in your config.php:

require("cookbook/SessionGuard.php");

or in your farmconfig.php enter:

require("$FarmD/cookbook/SessionGuard.php");

Notes

Use "require" and not "include" - "For security stuff, always require."

Release Notes

This program is free software. You can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation http://www.fsf.org either version 2 of the License, or (at your option) any later version.

Please donate to the author at url: http://gnuzoo.org/GNUZooPayPal

Version 2.2 - Change pagename reference Site.SuspicionOfSessionTheft to Site.InvalidLoginInformation
Version 2.1 - added "if (!defined('PmWiki')) exit();"
Version 2.0 - renamed - old LoginGuard obsolete
Version 1.0 - Initial Release

Comments

Contributors

JB created and maintains recipe Sven created initial code

SessionGuard