Update documentation (#695)

doc/pages/documentation/1.4/security.html

@@ -387,8 +387,21 @@ ignoreregex =
 
 <p>
 Restart fail2ban
-
 </p>
 
 </div>
-<!-- SECTION "Fail2ban" [6753-] --></div><!-- closes <div class="dokuwiki export">-->
+<!-- SECTION "Fail2ban" [6753-7806] -->
+<h2><a name="sessions_identifier" id="sessions_identifier">Sessions identifier</a></h2>
+<div class="level2">
+
+<p>
+
+You can change the module used for sessions identifier generation. To do, add <code>generateModule</code> key in the configured session backend options.
+</p>
+
+<p>
+We recommend the use of <code>Lemonldap::NG::Common::Apache::Session::Generate::SHA256</code>.
+</p>
+
+</div>
+<!-- SECTION "Sessions identifier" [7807-] --></div><!-- closes <div class="dokuwiki export">-->

doc/pages/documentation/1.4/sessions.html

@@ -49,7 +49,13 @@ To configure sessions, go in Manager, <code>General Parameters</code> » <code>S
 <ul>
 <li class="level1"><div class="li"> <strong>Opening conditions</strong>: rules which are evaluated before granting session. If a user does not comply with any condition, he is prompted a customized message. That message can contain session data as user attributes or macros. The conditions are checked in alphabetical order of comments.</div>
 </li>
-<li class="level1"><div class="li"> <strong>Sessions Storage</strong>: see <a href="../../documentation/1.4/start.html#sessions_database" class="wikilink1" title="documentation:1.4:start">sessions database configuration</a>.</div>
+<li class="level1"><div class="li"> <strong>Sessions Storage</strong>: you can define here which session backend to use, with the backend options. See <a href="../../documentation/1.4/start.html#sessions_database" class="wikilink1" title="documentation:1.4:start">sessions database configuration</a> to know which modules you can use. Here are some global  options that you can use with all sessions backends:</div>
+<ul>
+<li class="level2"><div class="li"> <strong>generateModule</strong>: allows to override the default module that generates sessions identifiers. For security reasons, we recommend to use Lemonldap::NG::Common::Apache::Session::Generate::SHA256</div>
+</li>
+<li class="level2"><div class="li"> <strong>IDLength</strong>: length of sessions identifiers. Max is 32 for MD5 and 64 for SHA256</div>
+</li>
+</ul>
 </li>
 <li class="level1"><div class="li"> <strong>Multiple sessions</strong>, you can restrict the number of open sessions:</div>
 <ul>

doc/pages/documentation/1.4/upgrade.html

@@ -136,8 +136,21 @@ PerlHeaderParserHandler Lemonldap::NG::Handler::Specific::SympaAutoLogin
 <p>
 
 </div></p>
-
 </p>
 
 </div>
-<!-- SECTION "Specific handlers" [853-] --></div><!-- closes <div class="dokuwiki export">-->
+<!-- SECTION "Specific handlers" [853-1626] -->
+<h2><a name="security" id="security">Security</a></h2>
+<div class="level2">
+
+<p>
+
+We found that the default session identifier generation may be too simple and can allow to do brute force attack to find a valid session identifier (see <a href="https://jira.ow2.org/browse/LEMONLDAP-695" class="urlextern" title="https://jira.ow2.org/browse/LEMONLDAP-695"  rel="nofollow">https://jira.ow2.org/browse/LEMONLDAP-695</a>).
+</p>
+
+<p>
+We recommend that you use a new generate module. Add <code>generateModule</code> key inside your sessions backend options and use <code>Lemonldap::NG::Common::Apache::Session::Generate::SHA256</code> as value.
+</p>
+
+</div>
+<!-- SECTION "Security" [1627-] --></div><!-- closes <div class="dokuwiki export">-->