Chris Shiflett wrote:
> Alberto Serra wrote:
>> If you want to avoid even this small window, just store on a db file
>> the session numbers you give away, along with the IP address of the
>> user who got it. Then when you get a new request for that session
>> check the IP you are getting it from and you are 100% sure the guy is
>> who he says to be.
> The 100% part is inaccurate. :)
Much too true LOLOL
> As a caveat to Mr. Serra's suggestion, remember that there are *many*
> users who will go through an IP masquerading gateway or proxy, so
> their IP may fluctuate, even though they are actively browsing. For
> this reason, it is often necessary to tolerate some fluctuation in
> the IP address, perhaps only in the last octet though.
Thanks, I guess I'll just do that. I was actually wondering how to leave
this barrier up without being nasty to normal users. That also solves
the dial-up problem, at least much of it, as callers will fluctuate
mostly on the last octet if they do reconnect through the same ISP,
right? Besides, IP masquerading gateways ARE a problem with the
suggestion I gave. And I guess this also explains why we are having so
much trouble in counting users (that is, IPs) whenever ADSL connection
come around. Any suggestion?
> Another thing some people use to strengthen their security model is to
> involve some sort of sequence number in the data that the client sends
> back. For example, instead of just a session ID, perhaps you have a
> cookie, URL variable, or whatever that is an encrypted (two-way so you
> can decrypt it) session ID, sequence number, and anything else you
> might think of to include.
So you mean I have a 32 byte MD5 session id to identify the current
visit, plus another such thing to identify the step within it, right?
But why decrypting it? A presentation attack would give it back to
server in the encrypted form anyway. What do we lose by just generating
a random MD5 key and using it as it is with no encrypted meaning?
Now, just tell me if I got you right. Since we are comparing 3 IP octets
plus the two MD5 keys we get an attack window like this:
hacker has three matching octets on his IP, plus he does attack while
the real user is still using the visit-session/content-session key the
hacker has stolen, right? This makes it dangerous for last pages (those
seen right before exiting site), as they actually last for ages.
Anyway, it DOES seems more than enough security to me.
Thanks a lot!
Alberto
Kiev
--
@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@
LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu?
lOrD i'M sHiNiNg...
YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is.......
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
