I guess I had "assumed" it would set a session cookie with an encrypted token (SOP in some platforms). In my case (a hosted account with Zettai.net), I believe the entire session is SSL, but I've never gotten all that far into the application yet, because of the IP issue! I'll pass this info on to George at Zettai, in the hope he'll see fit to drop the IP requirement.
Thanks and Best Regards, Mike Sharp
From: Tom Collins <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: [qmailadmin] Sessions & Cookies (was File Error 6 and IP addresses)
Date: Wed, 19 Mar 2003 11:04:11 -0700
On Wednesday, March 19, 2003, at 10:46 AM, Mike Sharp wrote:1. Why the authentication based on IP address?
2. Is there any way to turn this off, so that a standard SSL session and cookie is all that's needed to authenticate?
3. Are there any other issues to implementing #2?
Excellent questions.
I assume that the IP address issue was to prevent someone from sniffing the connection to gain a cookie or session ID that would allow them to spoof a connection and make changes.
I have noticed that qmailadmin does not use cookies, and instead passes a lot of information as a part of every URL (or via hidden fields). I have considered starting work on code that would attempt to store that information in a session cookie. If the session cookie worked, it could leave that information out of the URLs (good for keeping it out of referrer logs). If the session cookie fails, it falls back on the old method. I guess it could even be an option at compile time whether it would even try to use a cookie.
I don't think it would be much of a security risk to ignore the IP address checks for security on SSL connections (it would have to start as an SSL connection, and remain that way).
-- Tom Collins [EMAIL PROTECTED]
_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
