I would avoid basing security on IP address, in addition to the spoofing attack already mentioned, some proxy servers and cache engines replace the source IP address when they pass the request to your server.
Under these circumstances, everyone seems to come from the same IP address. As recommended, a good book (or expert) on security is a requirement for looking at these kinds of problems. There is almost always more to it than you think. G. Wade Sjoerd van Leent wrote: > > An easy workaround is to save the client IP-address in the session, and > look each page if this IP-address is the address the client has. It's > not waterproof, but it makes it far more difficult (ensure that a good > router is available) > > Sjoerd van Leent > > -----Original Message----- > From: Richard Dunn [mailto:[EMAIL PROTECTED] > Sent: zondag 17 augustus 2003 21:02 > To: Tomcat Users List > Subject: Re: Session Security > > On Sunday 17 August 2003 12:44, Todd O'Bryan wrote: > > Is there any block against someone stealing someone else's session id > > and using it for nefarious purposes? In other words, if I write a > grade > > book program, could a sharp student write down the session id from a > > web address (if cookies are off) or look in the teacher's cookie file, > > and then go to a computer in the library and use the same session id > to > > connect to the grade book page before the teacher logs out? > > > > Does the session id check itself against the issuing computer's IP > > address or anything to prevent such a thing from happening? I realize > > it's a stretch that someone might leave their computer unattended long > > enough for such a thing to happen, but I just want to be sure. Also, > > could someone listening in to the net traffic grab the session id and > > then use it? > > > > Thanks, > > Todd > > I am not a security expert, but if someone with my limited knowledge on > security can use a tool like tcpdump and do some of what your saying > (and I > have), a nefarious type whose primary interest is doing this type of > thing > certainly can. > > The number of possible exploits are endless, but for a start I would > suggest > using SSL to encrypt the login info and data going over the wire. There > are > things you can do programatically to check for the computer's IP, but > this > can also be spoofed by someone with even a little knowledge. > > I would recommend getting a good book on security. There are things you > can do > at the system admin level to decrease the chance of a security breach, > but > you also have to put the right stuff in your programs. Holes on either > one > can negate the other. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
