[Zope-dev] Re: CoreSessionTracking proposal

gotcha@swing.be gotcha@swing.be
Mon, 2 Oct 2000 17:17:07 +0200 (MET DST) 

--- In zope@egroups.com, Chris McDonough <chrism@d...> wrote:
> I suppose I could implement something like this (encode the IP 
address
> into the token) and provide a knob to turn it on and off on 
the id
> manager.  I'm not going to do this for the first iteration, I 
need to
> get it working first.  :-)
> 
> Steve Spicklemire wrote:
> > 
> > I forget now where I saw this.... but one of the session 
managers I looked
> > at once checked the IP address of the visitor to make sure 
it was the
> > same for the entire session, or longer. This at least makes 
it much harder
> > to hijack a session, even though it means that long-lived 
cookies might
> > be fooled as a user gets a new dynamic IP address...

I think WebHub is using the IP address. WebHub is a product 
built and working witrh Delphi. I tried to find where they 
mention it on their website (http://www.webhub.com) but could 
not find it.

In fact, if I remember well the server remembers the IP address 
(instead of crunching it into the id) and check the 
correspondence between the session id and the IP address when 
answering request.

I was told that some ISP change your IP address during a 
connection but never took the time to check if it is true.
> > 
> > -steve
> > 
> > >>>>> "Chris" == Chris McDonough <chrism@d...> writes:
> > 
> >     Chris> Session tokens, AFAICT, cannot be secured.  They 
can only
> >     Chris> be obfuscated, which mitigates the risk that they 
will be
> >     Chris> guessed.  However, there's no way to completely 
secure
> >     Chris> them, no matter how many MD5 hashing algorithms 
you run on
> >     Chris> them.  If a session token is stolen, that's the 
key that
> >     Chris> the "attacker" needs to visit the website "as 
you".  I've
> >     Chris> addressed this in the implementation by giving 
the session
> >     Chris> token a random element, and this mitigates a 
guessing
> >     Chris> attack, but not a theft attack.
> 
> -- 
> Chris McDonough
> Digital Creations, Publishers of Zope
> http://www.zope.org


Cheers,  


Godefroid Chapelle

---------------------
BubbleNet sprl
rue Victor Horta 30
1348 Louvain-la-Neuve 
Belgium

---------------------------------------------------------------------
This mail sent through SwinG Webmail: http://mail.swing.be