Graham,
First, you need to switch to the [EMAIL PROTECTED]
list as the houseoffusion list is being replaced.
Your scheme is a good one except:
1) when dealing with large ISP's like AOL. When
surfing thru a large ISP, your IP address can switch
many times. Same thing happens to DSL users, unless
they have paid for a static IP (not likely).
2) You can spoof an IP address fairly easily. In fact,
you can spoof almost anything sent in the header
fairly easily.
Nate
--- Graham Wood <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I am currently trying to develop a secure
> application using fusebox and
> wondered if anyone can see any security problems
> with the following idea.
>
> User logs in using a secure connection, on
> successful login the users IP is
> logged using CGI.REFERER and then the user is
> allocated a unique session
> number(details stored in database). Each link
> throughout the site passes
> back to the server the session number which then
> compares the IP of the
> requesting client to the IP of the user who logged
> in originally and was
> allocated this session number.
>
> I am sure there are lots of ways to achieve the same
> goal I just wondered
> if there are any holes in this design.
>
> Thanks
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get the mailserver that powers this list at http://www.coolfusion.com
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
