On Wed, 19 Dec 2007 11:14:03 -0800, Jeremy Kemper wrote: >> 4) Add, at least an option, to hash the IP address of the user into >> the cookie's hash. This should prevent against replay attacks >> automatically without the application developer having to write in >> this check.
I'm +1 on *anything* that prevents replay attacks (it's one of my big peeves about CookieSessions in the first place), but I wonder about the edge cases. If I'm coming through a proxy farm like AOL's, will I always come through the same proxy during the same session? What about mobile users moving to different cells - do their IPs stay constant? Or DHCP users on networks with short leases? I recall reading (a few years ago) about cable companies switching users' IP addresses frequently in a sort of security-by-obscurity defense against botnet infections. In *theory*, there are a lot of legitimate reasons for a user's IP address to change during a session, which would break this. But I have no idea if any of those ways really happen with any significant frequency, so I'm really not implying-by-asking - just asking. -- Jay Levitt | Boston, MA | My character doesn't like it when they Faster: jay at jay dot fm | cry or shout or hit. http://www.jay.fm | - Kristoffer --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
