That's no good, a significant amount of ISP's do not route requests
from one user to one web host via the same routes on each request, and
when they use proxy servers, as AOL does, that means every request
comes from a different IP address, even though it's the same user.
Worse still, the IP addresses of the proxy server's are located all
around the world, so even geolocation fails.
Ditch the remote IP check or it wont work at all for a lot of users. I
also feel 15 minutes is dodgy. I like session cookies, not timed
cookies. The user closes the browser and the cookie dies, nice and
simple. If you want to use a timeout, how about something that wont
have any real downsides like a day or two?
The user agent is probably safe, but some plugins add text to the user
agent, so if the user upgrades flash for instance, the session is
instantly voided and unusable as flash's version number will change.
The only one of these which limits usefulness of cookie stealing to
attackers is the IP check which is totally unusable in the real world
internet. Timeouts are just annoying and I don't think extremely high
security apps which would suit 15 minute timeouts are really the
target audience of Camping.
—
Jenna
On 25/05/2008, at 10:45 PM, Magnus Holm wrote:
You're absolutely right. Not anymore, though. I fixed in my cs-branch.
Now it will save the data in three cookies: camping_blob, camping_hash
and camping_time. The secure_blob_hasher includes the remote IP and
the user agent, and it has also a timeout on 15 minutes (which can
be overridden
with @@state_timeout).
http://github.com/judofyr/camping/commits/cs
On Sun, May 25, 2008 at 5:43 AM, _why <[EMAIL PROTECTED]>
wrote:
On Sun, May 25, 2008 at 12:25:08AM +0200, Magnus Holm wrote:
* The cookie session is named Camping::Session and is placed in
camping/session.rb. Maybe this should be called
Camping::CookieSession or???
You know, these cookie sessions seem like they could be a problem.
A lot of sessions would contain just the hash and the user name.
So, spoof the user name and you're in, you know?
_why
_______________________________________________
Camping-list mailing list
[email protected]
http://rubyforge.org/mailman/listinfo/camping-list
--
Magnus Holm
_______________________________________________
Camping-list mailing list
[email protected]
http://rubyforge.org/mailman/listinfo/camping-list
_______________________________________________
Camping-list mailing list
[email protected]
http://rubyforge.org/mailman/listinfo/camping-list
