Xataface 1.3rc3 Released

[shannah]

I have released Xataface 1.3rc3 which includes improved to the site search feature, and adds some small security improvements.

Download it at:
http://sourceforge.net/projects/datafac ... z/download
or
http://sourceforge.net/projects/datafac ... p/download

Change log:

- Changed search results to show portions of page that match query
- Increased time limit on manage_build_index to unlimited - and closed session at
beginning of action to prevent user from being locked out.
- Fixed up the pluggable architecture for searches.
- Added IP address check in the session to prevent people from spoofing sessions
- Fixed search index to index entire record contents instead of just previews.
- Added optimize table command when building index.
- Improved site search options by making it so that you no longer need to have 2 types of
find_actions in order for the site search to work. Also removed the 'filter by' option at
the top of the search results if there is only one type of record in the found set.
- Fixed error in IE when clicking '+' sign next to record in list view - undefined variable
df_add_editable_awareness

[PaulR]

- Added IP address check in the session to prevent people from spoofing sessions

Does this mean that users who are not on a static IP address will always need to log out or clear cookies at the end of each session? If so, is it possible to 'turn off' this feature? (If it presents a serious security risk then of course I could live with it!)

Paul

[jackch]

cool,i like it

[ADobkin]

>- Added IP address check in the session to prevent people from spoofing sessions
>
>Does this mean that users who are not on a static IP address will always need to log out or clear cookies at the end of each session? If so, is it possible to 'turn off' this feature? (If it presents a serious security risk then of course I could live with it!)
>
>Paul

The other new features in 1.3 are very welcome, but I don't see the value in this one the way it works now. As PaulR implied, since updating to 1.3rc3, Xataface throws the following error message every time my IP address changes:

>Your IP address doesn't match the session address. To continue, please clear your cookies or restart your browser and try again.

I often access my site from an iPad or other mobile device, and the IP changes every time my location changes, which makes it very difficult to stay connected. Clearing cookies or restarting a browser every time this happens has other implications when the user has many tabs open with dynamic sessions to other sites. Further, it doesn't seem to prevent someone else from spoofing the session if all they have to do is clear their session cookie or restart their browser. Granted, if two people are actively trying to share the same session ID at the same time, that would be a problem. But is just as likely that the "bad guy" session is active on a different IP while the "good guy" session is idle and unaware of the hijacking.

As PaulR requested, can this feature be disabled, such as in conf.ini? Or is there a better recommendation to solve the problem with changing IP addresses?

BTW, I also noticed that 1.3 now seems to enforce a lower-case (or case-sensitive) username at the login prompt. Prior, we often used mixed-case usernames, so the saved logins stopped working recently. Is this another security feature, and can it also be controlled by a config option?

One last question related to login security issues: Can we have an option to set an automatic login (session cookie) idle timeout on a per-user basis? For example, I would log out certain user accounts after 10-15 minutes of inactivity. I think this would be a more effective security measure than the IP address check, since the session would no longer exist when not actively in use.

Thanks,
Alan