--- In zope@egroups.com, Chris McDonough <chrism@d...> wrote:
I suppose I could implement something like this (encode the IP address into the token) and provide a knob to turn it on and off on the id manager. I'm not going to do this for the first iteration, I need to get it working first. :-)
Steve Spicklemire wrote:
I forget now where I saw this.... but one of the session
managers I looked
at once checked the IP address of the visitor to make sure it was the same for the entire session, or longer. This at least makes it much harder to hijack a session, even though it means that long-lived cookies might be fooled as a user gets a new dynamic IP address...
I think WebHub is using the IP address. WebHub is a product built and working witrh Delphi. I tried to find where they mention it on their website (http://www.webhub.com) but could not find it. In fact, if I remember well the server remembers the IP address (instead of crunching it into the id) and check the correspondence between the session id and the IP address when answering request. I was told that some ISP change your IP address during a connection but never took the time to check if it is true.
-steve
> "Chris" == Chris McDonough <chrism@d...> writes:
Chris> Session tokens, AFAICT, cannot be secured. They
can only
Chris> be obfuscated, which mitigates the risk that they
will be
Chris> guessed. However, there's no way to completely
secure
Chris> them, no matter how many MD5 hashing algorithms
you run on
Chris> them. If a session token is stolen, that's the
key that
Chris> the "attacker" needs to visit the website "as
you". I've
Chris> addressed this in the implementation by giving
the session
Chris> token a random element, and this mitigates a
guessing
Chris> attack, but not a theft attack.
-- Chris McDonough Digital Creations, Publishers of Zope http://www.zope.org
Cheers, Godefroid Chapelle --------------------- BubbleNet sprl rue Victor Horta 30 1348 Louvain-la-Neuve Belgium --------------------------------------------------------------------- This mail sent through SwinG Webmail: http://mail.swing.be