Thus spake David Maynor ([EMAIL PROTECTED]) [17/11/03 17:30]: > This would break things like NATed machines and such.
Could you explain how, please? If machine A gets NATed to firewall B, and webserver C gets the session... It's going to record the address of firewall B, not machine A. I fail to see how using the connection source's IP address would break NAT.* And I don't know what you mean by 'and such'. Not that I think basing your entire session security on the IP address is a good idea -- proxies and such. Using it as *part* of your session security (onions, people, onions) might work, depending on how a networks round-robin'ed proxies are set up, if the session really *is* needed to be carried cross-machine (I've done it before), or any other reason I haven't thought of yet. FWIW, (and I know how hated they are), SecurityFocus has a mailing list specifically for web application security -- [EMAIL PROTECTED], I believe. - Damian * = The only thing I could think of is session hijacking, if the source IP is your only method of session security, by other machines behind the same NATing gateway. This is possible. Again, onions. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
