interfasys Posted September 17, 2014 Report Posted September 17, 2014 I've noticed that Blesta does not follow PHP's recommended security practices when it comes to session. Maybe it should? Quote
interfasys Posted September 17, 2014 Author Report Posted September 17, 2014 The Hotfix is for PHP 5.5+ afaik, no? Quote
wfitg Posted September 17, 2014 Report Posted September 17, 2014 Yes. Perhaps I misunderstood. A developer should be in soon to answer. But, if you need more info on the Hotfix: http://www.blesta.com/forums/index.php?/topic/2176-php-55-hotfix-for-blesta-313/ Quote
Cody Posted September 25, 2014 Report Posted September 25, 2014 I've noticed that Blesta does not follow PHP's recommended security practices when it comes to session. Maybe it should? What exactly are you referring to? Quote
interfasys Posted September 25, 2014 Author Report Posted September 25, 2014 What exactly are you referring to? I've just looked at a few settings from that page and although hosts can implement most of them on their own, Blesta could tighten the security of their session management using some of the tips found on that page unless you're not using PHP sessions. Quote
Cody Posted September 25, 2014 Report Posted September 25, 2014 I've just looked at a few settings from that page and although hosts can implement most of them on their own, Blesta could tighten the security of their session management using some of the tips found on that page unless you're not using PHP sessions. I meant, what explicitly do you think we should consider? safe mode added in 5.4? What's else? Blesta already uses HTTPOnly. Secure cookies isn't feasible because not everyone forces SSL. That's why I'm asking, specifically, what options you think Blesta should support. wfitg 1 Quote
interfasys Posted September 25, 2014 Author Report Posted September 25, 2014 Ah. session.cookie_httponly = On session.hash_function = "sha256" session.cookie_secure=On The last one only when SSL is enabled, just like you might want to send HSTS headers if you don't already. Quote
mrrsm Posted September 26, 2014 Report Posted September 26, 2014 Ah. session.cookie_httponly = On session.hash_function = "sha256" session.cookie_secure=On The last one only when SSL is enabled, just like you might want to send HSTS headers if you don't already. It sounds like everything you want done are things that the host should be doing mainly or are configurations that you can do to the server. wfitg and Michael 2 Quote
flangefrog Posted September 26, 2014 Report Posted September 26, 2014 Ah. session.cookie_httponly = On session.hash_function = "sha256" session.cookie_secure=OnThe last one only when SSL is enabled, just like you might want to send HSTS headers if you don't already.I don't think HSTS should be enabled by default. It's great and I use it myself but it's not something you can just disable if you don't want it. wfitg 1 Quote
wfitg Posted September 26, 2014 Report Posted September 26, 2014 I don't think HSTS should be enabled by default. It's great and I use it myself but it's not something you can just disable if you don't want it. If i understand the OP correctly, this could be used. ini_set( 'session.cookie_httponly', 1 ); But it can be done using htaccess too <IfModule php5_module> php_value session.cookie_httponly true </IfModule> more http://stackoverflow.com/questions/36877/how-do-you-set-up-use-httponly-cookies-in-php Quote
interfasys Posted September 26, 2014 Author Report Posted September 26, 2014 It sounds like everything you want done are things that the host should be doing mainly or are configurations that you can do to the server. Yeah, but as we know, hosts don't care, some still run Blesta on PHP 5.2, so it's best to be proactive with these things and help them protect their customers' data. I don't think HSTS should be enabled by default. It's great and I use it myself but it's not something you can just disable if you don't want it. It could be made optional from the settings tab. There could be a new security section where you can enable all these things. If i understand the OP correctly, this could be used. ini_set( 'session.cookie_httponly', 1 ); But it can be done using htaccess too <IfModule php5_module> php_value session.cookie_httponly true </IfModule> more http://stackoverflow.com/questions/36877/how-do-you-set-up-use-httponly-cookies-in-php Never do it via .htaccess in 2014! ini_set is the way to go. wfitg 1 Quote
Cody Posted September 26, 2014 Report Posted September 26, 2014 HSTS has to be configured domain wide, so should only be done via server config, not application specific. I'm not sure many people install only Blesta on their domain. Michael, flangefrog and wfitg 3 Quote
wfitg Posted September 27, 2014 Report Posted September 27, 2014 httpd.conf "includes" are the way to go. A good way to DENY iframes too Quote
Hawkevan Posted April 21, 2021 Report Posted April 21, 2021 I notice many customer management and support system for web hosting providers does not follow some security practices when it comes to session. Security standards are vital to the well-being of any website, large or small. That’s why site owners are often bombarded by warnings of security risks. Like for instance, after hours of surfing for why encryption is important for data protection in PHP, I got this php encode password which in-detail have shown how to secure data from hackers. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.