I am updating from mantis 1.1.x to 1.2.x and i have a new login for my users now.
Secure Session Only allow your session to be used from this IP address.
I would like to disable this option since i expect problems during the ussage of it by the testers using mantis.
Is there a setting where i could switch this option off?
Thanks
eelco
Disable "secure session" prompt
Moderators: Developer, Contributor
Re: Disable "secure session" prompt
Which problems do you expect?eelcodegraaff wrote: since i expect problems during the ussage of it by the testers using mantis.
Adding the following line to your config_inc.php should do the jobeelcodegraaff wrote: Is there a setting where i could switch this option off?
Code: Select all
$g_session_validation = OFF;-
eelcodegraaff
- Posts: 10
- Joined: 21 May 2010, 13:54
Re: Disable "secure session" prompt
Thanks for the quick reply, where should i found it in the manual? I missed it.
Is there a list of all possible options that could be configured?
I don't understand the security risk.
When someone logon to mantis from a other machine or when you use dhcp you could run problems people that are not able to make a connection to mantis or am i wrong?
When you want to have it secure i expect you use ssl and make sure you use ntlm or ldap authentication. Logging the ip number as only system that have the right to login is that what people want?
regards
eelco
Is there a list of all possible options that could be configured?
I don't understand the security risk.
When someone logon to mantis from a other machine or when you use dhcp you could run problems people that are not able to make a connection to mantis or am i wrong?
When you want to have it secure i expect you use ssl and make sure you use ntlm or ldap authentication. Logging the ip number as only system that have the right to login is that what people want?
regards
eelco
Re: Disable "secure session" prompt
config_defaults_inc.php is the best source for this (better than any manualeelcodegraaff wrote: Is there a list of all possible options that could be configured?
)
If you are interested in further details, google for "Session hijacking"eelcodegraaff wrote: I don't understand the security risk.
I am not a real expert for this, but I think you are wrong. The IP-Adress is just used to check for one session. So there should be no problem with DHCP or when working from another machine, because this is a new sessioneelcodegraaff wrote: When someone logon to mantis from a other machine or when you use dhcp you could run problems people that are not able to make a connection to mantis or am i wrong?
Of course this will enhance security, but not every installation of MantisBT will use SSL. So the "Secure Session" option of MantisBT should give a little bit more security also for the "poor" users.eelcodegraaff wrote: When you want to have it secure i expect you use ssl
It's not the only system, it's an additional feature after a logged in (and if you want, after you logged in via LDAP if you configured this in MantisBT)eelcodegraaff wrote: Logging the ip number as only system that have the right to login is that what people want?