> On Mon, Jun 16, 2003 at 10:47:04AM +0100, [EMAIL PROTECTED] wrote: > > session id). Authentication of subesequent pages is assumed only if the > > client's IP address matches the IP address stored in the session > with distributed proxies, it just plain won't work.
I think I understand this, but I'm not sure if it matters.
It matters because IP addresses are now longer assigned to computers. Up until the mid-to-late 90s, your approach would have "worked" although it would not have been very secure. Perhaps it would have helped some, as you suggest.
The point is that, since IP spoofing is difficult (at least, considerably MORE difficult than stealing a session key), you could be fairly sure you were cutting out an awful lot of hacker attacks.
This is your logical error. IP spoofing is not difficult and it is not rare. It is a constant part of any NAT (network address translation) system. It is used everywhere by proxies. You may have hundreds or even thousands of individual computers masked behind a proxy, all with the same IP address.
The second problem is that many ISPs, especially AOL, change the IP address during a session. We learned this the hard way back in 97 at CyberCash, when we tried the same idea.
The solution is not very hard, set a cookie with a strongly created nonce, use that to index into the table of valid sessions. At least it is easy until you want to scale it to many servers.
Pat
Pat Farrell [EMAIL PROTECTED] http://www.pfarrell.com
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
