Re: [Zope-dev] Re: CoreSessionTracking proposal

2000-10-02 Thread KevinL 


Please, please, please, do _not_ use IP numbers to verify it's the same 
connection.  You guys don't have the problem in .us, but out here at the 
fringes (.au, and presumably .uk and similar), proxy server use is rampant - 
and leaning on IP breaks, because proxy's share the connection around.

Example:  Connect.com.au (backbone provider) have three proxy servers in 
melbourne, two in Sydney.  Their customers have their own proxies.  
An end user hits the customer's proxy, which requests via ICP from _all_ of 
CCA's proxies in their region - the fastest proxy at the time responds first.
Fastest can, and does, change very quickly when those boxes are close to the 
same load - a single session often chops between multiple IP's.
Then the customer's proxy is also leaning on telstra's proxy's, in a 
completely different netblock, and sometimes they decide upstream response is 
too slow and they'll go direct.

People leaning on the source IP for verification just means you get more 
complaints from .au people unable to use your site.  I wouldn't even offer it 
unless you made some passing attempt to get the browser's own IP (use 
the proxy header, can't remember which one, that reports browser IP), even 
then I'd be cautious as that's a voluntary header.

KevinL
(that one's a bugbear of mine ;)

 [EMAIL PROTECTED] wrote
 --- In [EMAIL PROTECTED], Chris McDonough [EMAIL PROTECTED] wrote:
  I suppose I could implement something like this (encode the IP 
 address
  into the token) and provide a knob to turn it on and off on 
 the id
  manager.  I'm not going to do this for the first iteration, I 
 need to
  get it working first.  :-)
[snip]
 In fact, if I remember well the server remembers the IP address 
 (instead of crunching it into the id) and check the 
 correspondence between the session id and the IP address when 
 answering request.

 I was told that some ISP change your IP address during a 
 connection but never took the time to check if it is true.
[snip]


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Server Side Trojan Issue really dead?

2000-08-07 Thread KevinL 

 Steve Alexander wrote:
 However... the zope security system could help with this. Here's an ill
 thought out idea for your consideration :-)
 
 Have a function that takes two sets of permissions, and returns the
 intersection of these sets. Then, use some sort of local permissions
 combination to make the wiki page that's been edited have the resultant
 lowest-common-denominator permissions, even for the owner.

Correct me if I'm wrong, but wouldn't this have the same problem?  Person of 
high access makes zwiki, person of low access adds evil function to it, person 
of high access views it - unless you're tracking "smallest set of privileges 
held by anyone editing this page" at all times, you're going to intersect 
owner with creator and still allow editor to trojan.

Is that the essential problem, or should I be quiet and go away?  (or both? ;)

KevinL


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )