Re: "Exploit"...
Reply #13 –
* Would it help to use session_regenerate_id(TRUE) frequently?
Worth looking into, I'd think.
* Would it help to protect the session with an additional key:
- Bind to IP -> would probably help but would cause problems for users behind a proxy
... Optional? For the duration of an admin session?
I don't remember Tor behavior, I think you can get out through a different node on any request...
Well, I think too, it will likely create more problems than it solves.
* encourage users to use AdminEndSession(): Add a big red warning box (the same, if you haven't deleted install.php) with a text like this: "your're currently in Admin Mode, please end your admin session immediately after you've finished your admin tasks"
I'd say yes... It's harmless, and it'd help more.