Session Handling & Security

**akalars** · 24.10.2011, 12:59

On the web server there are some security issues surrounding the session handling. If I use for instance
wget 'http://profilux/user.html?namd=Guest&pass=something'
to download the user page then when I open a browser on the same machine I'm automatically logged in. This makes it easy from someone to take over your connection. Connection handling should not be done on a per machine basis as it seems to be done.

I would like to see the following features:

Proper session handling
The ability to have the web server only allow access to user.html, while disable the option to log in ass admin to do changes.

**Wirus** · 24.10.2011, 13:29

This is discussed several times here. Unfortunately this is not that easy due resources of PL3 are limited.

To solve your problem and increase security you can call the following directly after your request:

PHP Code:


wget 'http://profilux//logout.html'

Unauthorized log-in is impossible then.

**boboxx** · 24.10.2011, 15:18

How is this really helping, they already have the username and password...

**Wirus** · 24.10.2011, 15:35

How is this really helping,

PL3 webserver has a timeout of 3 minutes. If you log in, everyone is able to do the same as you (there is no session/user recognition) with rights of who´s logged in. So if you log in as admin, everyone is able to do whatever an admin can do.

This rights will stay until timeout is gone with no user action or until you log out. So if yo do an automatic request, it´t a good idea to log out afterwards with a logout request. During request time until log out the system will be not protected, but the time slot is very small (only a few seconds).

they already have the username and password...

If they log the pass with a sniffer or have it already, then there is no protection anymore ....

Remark: For logging purposes I would suggest to use files with XML or RSS extension due it´s not necessary to log in to get that files. This makes login obsolete then. But for sure, it does´t protect against DDOS attacks.

**Blahenazo** · 24.10.2011, 19:01

yeah, the webserver is not the best part of the P3.

I don't know how well it compares to other controllers in the market => security wise and session wise , feature wise ( new webgui might improve ) but the core issues will not be solved

(((

Thread: Session Handling & Security

Thread Tools

Display

Session Handling & Security

Bookmarks

Bookmarks

Posting Permissions