SSL Labs ScoreHSTS Preloaded

Log in to participate

There is no cost to join RicheyWeb, and membership is a requirement to submit bug reports and participate in the support forums.

Session cookie - send or do not send?

3 years 3 weeks ago #341 by bandizsolti

I read your post about securing joomla, and I have a question about session cookie. Why is good that adminexile stop sending session cookie in /administrator ?

You wrote that: "This is a method used by Clipper and AdminExile as well as several other security extensions. One key difference is that Clipper and AdminExile prevent the Joomla session cookie from being sent. Other URL token extensions block access to /administrator - but allow the session cookie to be sent. If the cookie is received by an attacker, he immediately knows that something exists at that URL and can continue to probe for a means of entry."

If you test, or you know that, if a page doesnt exist Joomla will send the session cookie anyway...
Example: - >I got session cookie with an 404 error

So my point is, if Joomla send anyway this session cookie (for existing pages and for non existing pages, components) then why adminexile stop it in the administrator area? From this, the attacker will know that something exists at that location...
What do you think? It will be more unmarked when you got the cookie with the 404 error on the administration page I think.
Please correct me if I'm not right!
Thanks for your replay in advance!

Please Log in or Create an account to join the conversation.

  • Not Allowed: to create new topic.
  • Not Allowed: to reply.
  • Not Allowed: to edit your message.
Powered by Kunena Forum