[Zope-dev] Re: CoreSessionTracking proposal
gotcha@swing.be
gotcha@swing.be
Wed, 4 Oct 2000 10:44:11 +0200 (MET DST)
--- In zope@egroups.com, "Chris McDonough" <chrism@d...> wrote:
> Without a client-checking scheme (such as encoding the IP
address in the
> token), a token theft attack is very easy. As voiced by
others in the
> thread, client-checking is not reliable, should not be a
default, and maybe
> shouldn't be included as an option at all.
>
I would like to control finely the session security mechanisms.
I would like to be able to plug a client-checking (or anything
else). This way, each WebApp developper can discriminate among
its own constraints and risks. I want to be able to use
different ways to secure the session.
For example, ther would be cases where I would implement a
client-checking mechanism based on both IP address and browser
time-limited cookie. This would allow me to follow sessions on
people refusing cookies and on people behind "IP dancing"
proxies. I would loose session state for anyone both refusing
browser cookie and being behind "IP dancing" proxy. This would
be an acceptable compromise if I am manipulating highly private
data.
In other cases, I could accept lower-level security related to
the less privacy.
Godefroid Chapelle
---------------------
BubbleNet sprl
rue Victor Horta 30
1348 Louvain-la-Neuve
Belgium
---------------------------------------------------------------------
This mail sent through SwinG Webmail: http://mail.swing.be