Mantis Bug Tracker - Forums

I am updating from mantis 1.1.x to 1.2.x and i have a new login for my users now.

Secure Session Only allow your session to be used from this IP address.

I would like to disable this option since i expect problems during the ussage of it by the testers using mantis.

Is there a setting where i could switch this option off?

Thanks
eelco

eelcodegraaff wrote: since i expect problems during the ussage of it by the testers using mantis.

Which problems do you expect?

eelcodegraaff wrote: Is there a setting where i could switch this option off?

Adding the following line to your config_inc.php should do the job but there is the following warning in default configuration file for this: "Disabling this could be a potential security risk!!"

Thanks for the quick reply, where should i found it in the manual? I missed it.
Is there a list of all possible options that could be configured?

I don't understand the security risk.
When someone logon to mantis from a other machine or when you use dhcp you could run problems people that are not able to make a connection to mantis or am i wrong?
When you want to have it secure i expect you use ssl and make sure you use ntlm or ldap authentication. Logging the ip number as only system that have the right to login is that what people want?

regards

eelco

eelcodegraaff wrote: Is there a list of all possible options that could be configured?

config_defaults_inc.php is the best source for this (better than any manual )

eelcodegraaff wrote: I don't understand the security risk.

If you are interested in further details, google for "Session hijacking"

eelcodegraaff wrote: When someone logon to mantis from a other machine or when you use dhcp you could run problems people that are not able to make a connection to mantis or am i wrong?

I am not a real expert for this, but I think you are wrong. The IP-Adress is just used to check for one session. So there should be no problem with DHCP or when working from another machine, because this is a new session

eelcodegraaff wrote: When you want to have it secure i expect you use ssl

Of course this will enhance security, but not every installation of MantisBT will use SSL. So the "Secure Session" option of MantisBT should give a little bit more security also for the "poor" users.

eelcodegraaff wrote: Logging the ip number as only system that have the right to login is that what people want?

It's not the only system, it's an additional feature after a logged in (and if you want, after you logged in via LDAP if you configured this in MantisBT)