Re: CoreSessionTracking proposal
--- In zope@egroups.com, Chris McDonough <chrism@d...> wrote:
I suppose I could implement something like this (encode the IP address into the token) and provide a knob to turn it on and off on the id manager. I'm not going to do this for the first iteration, I need to get it working first. :-)
Steve Spicklemire wrote:
I forget now where I saw this.... but one of the session
managers I looked
at once checked the IP address of the visitor to make sure it was the same for the entire session, or longer. This at least makes it much harder to hijack a session, even though it means that long-lived cookies might be fooled as a user gets a new dynamic IP address...
I think WebHub is using the IP address. WebHub is a product built and working witrh Delphi. I tried to find where they mention it on their website (http://www.webhub.com) but could not find it. In fact, if I remember well the server remembers the IP address (instead of crunching it into the id) and check the correspondence between the session id and the IP address when answering request. I was told that some ISP change your IP address during a connection but never took the time to check if it is true.
-steve
> "Chris" == Chris McDonough <chrism@d...> writes:
Chris> Session tokens, AFAICT, cannot be secured. They
can only
Chris> be obfuscated, which mitigates the risk that they
will be
Chris> guessed. However, there's no way to completely
secure
Chris> them, no matter how many MD5 hashing algorithms
you run on
Chris> them. If a session token is stolen, that's the
key that
Chris> the "attacker" needs to visit the website "as
you". I've
Chris> addressed this in the implementation by giving
the session
Chris> token a random element, and this mitigates a
guessing
Chris> attack, but not a theft attack.
-- Chris McDonough Digital Creations, Publishers of Zope http://www.zope.org
Cheers, Godefroid Chapelle --------------------- BubbleNet sprl rue Victor Horta 30 1348 Louvain-la-Neuve Belgium --------------------------------------------------------------------- This mail sent through SwinG Webmail: http://mail.swing.be
At 05:17 PM 10/2/00 +0200, gotcha@swing.be wrote:
I was told that some ISP change your IP address during a connection but never took the time to check if it is true.
Whether the actual user's IP changes isn't relevant. The question is, can the IP of a proxy server between the user and you change. And that's quite possible. Consider the situation where the round-robin DNS of a bank of proxy servers expires during the user's browsing session, or a bank of proxy servers behind a load balancer on the user's side. Since all the HTTP server ends up seeing is the proxy server's IP, you could potentially have the same user dancing around all over the place, IP address-wise.
Please, please, please, do _not_ use IP numbers to verify it's the same connection. You guys don't have the problem in .us, but out here at the fringes (.au, and presumably .uk and similar), proxy server use is rampant - and leaning on IP breaks, because proxy's share the connection around. Example: Connect.com.au (backbone provider) have three proxy servers in melbourne, two in Sydney. Their customers have their own proxies. An end user hits the customer's proxy, which requests via ICP from _all_ of CCA's proxies in their region - the fastest proxy at the time responds first. Fastest can, and does, change very quickly when those boxes are close to the same load - a single session often chops between multiple IP's. Then the customer's proxy is also leaning on telstra's proxy's, in a completely different netblock, and sometimes they decide upstream response is too slow and they'll go direct. People leaning on the source IP for verification just means you get more complaints from .au people unable to use your site. I wouldn't even offer it unless you made some passing attempt to get the browser's own IP (use the proxy header, can't remember which one, that reports browser IP), even then I'd be cautious as that's a voluntary header. KevinL (that one's a bugbear of mine ;)
gotcha@swing.be wrote --- In zope@egroups.com, Chris McDonough <chrism@d...> wrote: I suppose I could implement something like this (encode the IP address into the token) and provide a knob to turn it on and off on the id manager. I'm not going to do this for the first iteration, I need to get it working first. :-) [snip] In fact, if I remember well the server remembers the IP address (instead of crunching it into the id) and check the correspondence between the session id and the IP address when answering request.
I was told that some ISP change your IP address during a connection but never took the time to check if it is true. [snip]
participants (3)
-
gotchaï¼ swing.be -
KevinL -
Phillip J. Eby