On 12/19/07, Jay Levitt <[EMAIL PROTECTED]> wrote: > > On Wed, 19 Dec 2007 11:14:03 -0800, Jeremy Kemper wrote: > > >> 4) Add, at least an option, to hash the IP address of the user into > >> the cookie's hash. This should prevent against replay attacks > >> automatically without the application developer having to write in > >> this check. > > I'm +1 on *anything* that prevents replay attacks (it's one of my big > peeves about CookieSessions in the first place), but I wonder about the > edge cases. > > If I'm coming through a proxy farm like AOL's, will I always come through > the same proxy during the same session? What about mobile users moving to > different cells - do their IPs stay constant?
Worse, you may get a new IP address for each connection, and with plans/batteries being what they are, you can imagine a lot of these rapid-fire connect/disconnect cycles. My daily e-mail checking habit involves several IP addresses within the span of a few minutes. Assaf > Or DHCP users on networks > with short leases? I recall reading (a few years ago) about cable > companies switching users' IP addresses frequently in a sort of > security-by-obscurity defense against botnet infections. > > In *theory*, there are a lot of legitimate reasons for a user's IP address > to change during a session, which would break this. But I have no idea if > any of those ways really happen with any significant frequency, so I'm > really not implying-by-asking - just asking. > > -- > Jay Levitt | > Boston, MA | My character doesn't like it when they > Faster: jay at jay dot fm | cry or shout or hit. > http://www.jay.fm | - Kristoffer > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
