Mahara

Warn admins if session.entropy_length is < 16

Bug #888424 reported by François Marier
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Medium
François Marier
Mahara 1.5.0

Bug Description

The session.entropy_length variable in php.ini controls how much entropy is used when generating session keys:

  http://nz.php.net/manual/en/session.configuration.php#ini.session.entropy-length

OWASP recommends that session keys contain at least 128 bits (16 bytes) of entropy so we should print a warning on the admin page to let admins know that they should set this variable to a larger number (it unfortunately defaults to 0).

François Marier (fmarier)
tags: added: bite-sized
François Marier (fmarier)
Changed in mahara:
assignee: nobody → François Marier (fmarier)
Revision history for this message
François Marier (fmarier) wrote :

https://reviews.mahara.org/843

Changed in mahara:
status: Confirmed → In Progress
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/843
Committed: http://gitorious.org/mahara/mahara/commit/c7a0ed9a19097fa7154b446a4415d02f34015a42
Submitter: Hugh Davenport (<email address hidden>)
Branch: master

commit c7a0ed9a19097fa7154b446a4415d02f34015a42
Author: Francois Marier <email address hidden>
Date: Fri Nov 11 15:03:18 2011 +1300

    Add admin warning for entropy_length (bug #888424)

    This is based on an OWASP recommendation and corresponds to 128
    bits of entropy.

    https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Properties

    Change-Id: Ie47779d586c39bc339728e4772467407fac90ee4
    Signed-off-by: Francois Marier <email address hidden>

François Marier (fmarier)
Changed in mahara:
status: In Progress → Fix Committed
Dominique-Alain JAN (dajan)
tags: added: newfeature
Melissa Draper (melissa)
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.