Jonathan Hilgeman <[EMAIL PROTECTED]> wrote:
[snip]
>I accidentally caught them during testing or something and got a variable on
>the URL line. (I substituted the domain name - it's not really cart.com)
>http://www.cart.com/cgi-bin/cart.cgi?cartidnum=208.144.33.190T990806951R5848
>E
>
>cartidnum seems to be:
>$IP-Address + "T" + Unix-TimeStamp + "R" + Unknown number + "E"
>
>By the way, the session only seems to active until the browser completely
>shuts down. Any ideas? If I could identify my users on another site without
>using cookies at all, that would be fantastic!
Be careful with using too much magic.
I recently tested/evaluated a product to provide a web interface for email.
It appears that it uses a combination IP address and URL to track
authenticated users. For example, if I authenticated as foo from 192.168.0.4,
then as long as I was coming from 192.168.0.4, I could read foo's email, even
if I was someone else logged into the machine. The proper URL would be of the
form http://192.168.0.10/foo (if 192.168.0.10 were the server).
While it is nice to assume one person per IP address, there are many cases
when this is not true. In the product I evaluated, guessing the proper URL to
read someone else's email was trivial. Going through an SSL proxy didn't mask
the behavior, just required the use of openssl's client.
In the example you give, the timestamp and unknown number may make it more
difficult to guess the proper information. This is a good thing.
Without some information passing between the client and server that is only
known to them, it is too easy to spoof the client and access a session
unauthorized. There is also no way to distinguish two clients on the same
machine, especially if they are the same application.
--
James Smith <[EMAIL PROTECTED]>, 979-862-3725
Texas A&M CIS Operating Systems Group, Unix
