Advanced session hijacking mitigation #75
Commits on Jul 31, 2014
-
Advanced session hijacking mitigation
utilizing ssl_session_id (when mod_ssl is enabled) and ip/user-agent when using raw http connections an additional check is done to ensure that cooked are not copied between systems thus preventing session hijacking If a user with a valid CAS session attempts to copy another user's cookie the existing CAS session will simply reestablish and the stolen cookie will be invalidated. While this could potentially create a denial of service; the risk is limited to non-https connections.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.