[Koha] Clarification Regarding Security issue of Koha.

Fridolin SOMERS fridolin.somers at biblibre.com
Thu Nov 3 00:55:45 NZDT 2016

Le 02/11/2016 à 12:22, RakeshKumar Singh a écrit :
> Dear Sir,
> Good morning Sir,
> There are few security issue of koha on which we need some clarification and help in resolving .These issue are as below:
> Issue No 1:  In our application , when we login a session is created and saved in cookies of the browser. when we try to open an restricted page of our application from different instance of same browser we are able to get the access as we have already logged in from same browser . As per my understanding this is happening because the session id is getting stored in cookies. this may be also because of sharing of Cookies value across different tabs of the same browser for the same application.
> Requirement : What we want in our application is how to avoid sharing of cookies across same browsers or different browsers.
How do you access your different instances ?
Does each instance have a VirtualHost or does each instance use a 
specific port on the same hostname ?

> Issue No 2:  There is no Salted Password Mechanism in Koha as per our findings . When ever we login to the application the password can easily be tracked by any proxy as there is no salted mechanism implemented.
You should use HTTPS to secure the authentication system.
Note that inside database the password is salted and well encrypted.

> We are facing issue in the resolving these issues .
> Request you to please help us in this .
> thanks in advance.
> On 11/01/16 09:13 PM, koha-request at lists.katipo.co.nz wrote:
>> Nau Mai, Haere Mai ki te whanau Koha. Hello and Welcome to the Koha
>> Community.
>> This is just a brief email to help you make the most of the community,
>> and the community make the most of you.
>> The best thing you can do to start is to introduce yourself. A brief
>> email to this mailing list saying who you are and what you want to do
>> is a great way to do that.
>> This is the general discussion list for librarians and others
>> interested in the Koha FOSS (free & open-source software) LMS/ILS
>> (library management system/integrated library system) and related
>> activities. It is a companion to other email lists (see
>> <http://lists.koha-community.org/>) that discuss future development or
>> aspects of the application.
>> Before posting to the list, it's always good to read/search through
>> the mailing list archive <http://dir.gmane.org/gmane.comp.misc.koha>
>> and the manual and FAQs <http://koha-community.org/documentation> for
>> answers to your questions.
>> Please feel free to use this list for announcements, questions and
>> discussions on relevant topics, and please try to keep it positive and
>> polite. Pro-free-software LMS/ILS news is welcome. Debating
>> definitions of “free” is not.
>> Please send plain text emails and if you opt for the digest, change
>> the subject line when you reply (as described at the top of the
>> digest). In general, try to keep subject lines accurate and try to
>> write the sort of message that you'd be happy if it appeared on the
>> letters page of a national newspaper or magazine. Other useful
>> netiquette guidelines can be found in Internet RFC 1855
>> <http://tools.ietf.org/rfc/rfc1855.txt>.
>> Emails from non-subscribers (and other emails held for review) will
>> usually be sent to this list in a batch once a day.
>> Websites and bloggers may find the gmane archive
>> <http://dir.gmane.org/gmane.comp.misc.koha> more useful for linking,
>> because its comment system is open to all.
>> Some other useful sites to keep an eye on are included below:
>> - Koha project home page <http://koha-community.org> - Here you will
>> find links to other Koha websites and announcements of interest to the
>> Koha community.
>> - Koha Bugs <http://bugs.koha-community.org> - Here you will find
>> enhancement projects as well as bugs
>> - Koha Developer Wiki <http://wiki.koha-community.org> - information
>> about the development process and RFCs (Request for Comments)
>> - Koha Git Repository <http://git.koha-community.org/> - patches and
>> enhancements to Koha from the community
>> - Koha Documentation <http://koha-community.org/documentation>
>> We look forward to meeting you and working with you.

Fridolin SOMERS
Biblibre - Pôles support et système
fridolin.somers at biblibre.com

More information about the Koha mailing list