Thanks for the insight, Tom.
I guess I had assumed it would set a session cookie with an encrypted
token (SOP in some platforms). In my case (a hosted account with
Zettai.net), I believe the entire session is SSL, but I've never gotten all
that far into the application yet, because of the IP issue! I'll pass this
info on to George at Zettai, in the hope he'll see fit to drop the IP
requirement.
Thanks and Best Regards,
Mike Sharp
From: Tom Collins [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: [qmailadmin] Sessions Cookies (was File Error 6 and IP
addresses)
Date: Wed, 19 Mar 2003 11:04:11 -0700
On Wednesday, March 19, 2003, at 10:46 AM, Mike Sharp wrote:
1. Why the authentication based on IP address?
2. Is there any way to turn this off, so that a standard SSL session and
cookie is all that's needed to authenticate?
3. Are there any other issues to implementing #2?
Excellent questions.
I assume that the IP address issue was to prevent someone from sniffing the
connection to gain a cookie or session ID that would allow them to spoof a
connection and make changes.
I have noticed that qmailadmin does not use cookies, and instead passes a
lot of information as a part of every URL (or via hidden fields). I have
considered starting work on code that would attempt to store that
information in a session cookie. If the session cookie worked, it could
leave that information out of the URLs (good for keeping it out of referrer
logs). If the session cookie fails, it falls back on the old method. I
guess it could even be an option at compile time whether it would even try
to use a cookie.
I don't think it would be much of a security risk to ignore the IP address
checks for security on SSL connections (it would have to start as an SSL
connection, and remain that way).
--
Tom Collins
[EMAIL PROTECTED]
_
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail
