On Tue, Mar 19, 2002 at 01:13:23PM -0800, Wizard wrote:
> > IP addresses are not unique. Many people browse from behind
> > Network Address
> > Translating (NAT) firewalls as well as mega reverse proxies like AOL.
>
> Good point. AFAIK, the only sensitive information being passed is the
> session key in a cookie (encoded time() + IP address). There is a user_name
> cookie, but it only stores the user's login name to allow quicker logins and
> customizations. My reason for wanting to use the IP address was that it
> would be harder to forge a session key AND the IP address.
The problem with the IP address is not sensitivity, but failure.
If multiple AOL users happen to hit your site through the same proxy, they
will have to log in again one after the other every time because the IP
address is only associated with one login.
I understand your reason and wish it could be done. It would be much simpler.
> > The generally accepted method of handling sessions is to generate a unique
> > session id which you identify with the person. The session_id is then
> > associated the rest of the user information, usually in a
> > database.
> How do you ensure that the session_id isn't forged? What is the identifying
> criteria to match to, other than the session_id?
If you generate unguessable ids forgery will be quite difficult. There's
also the problem of a replay attack if the id falls into the wrong hands.
You can guard against this by generating different session ids for encrypted
and non-encrypted sessions and making sure to only associate authentication
information with the secure session id. This could be problematic if you
are not always using cookies. Even if you don't do that, it make sense to
time out the session within a reasonable period of time and also to lock out
accounts upon detection of a brute force logins. There's quite a bit that
can be done. It all depends on what you stand to lose were someone to break
your session generation scheme. Of course, pragmatically speaking, the
session stuff is only one layer of security.
True security requires that *everything* be secure. If you lock your doors
and leave your windows open, you still have a big problem. Unless of,
course, you're sitting in the room with a shotgun ;)
% perldoc perlmodlib|grep shotgun
-Gyepi
--
The last time somebody said, 'I find I can write much better with a word processor,'
I replied, 'They used to say the same thing about drugs.'
--Roy Blount, Jr.
