Re: Witango-Talk: Internal IP Address as client IP

Thu, 08 Jun 2006 17:11:21 -0700

Yes, if you use HTTP cleartext transport, you can use a packet sniffer and grab the cookie. But the normal hijack route is by copying and pasting URLs into an email that gets passed around.
So one thing I do is only allow one concurrent login (IP address) per userrefernce. This limits the problem nefarious to co-workers in the same NETed subnet The downside is that some users close their window mistakenly without logging out, and then they can't login again until the previous session times out. But we allow them to check a box to force their old session to expire. 

On Jun 8, 2006, at 4:57 PM, Alan Wolfe wrote:


Could someone spoof a cookie's value just like someone could spoof  
a user ref argument to do session hijacking?



On 6/8/06, Robert Garcia <[EMAIL PROTECTED]> wrote:

Yes, but that doesn't solve any of the issues that arise from using  
it in a url, you have the same issues, when you don't just use the  
cookie methods.




--


Robert Garcia
President - BigHead Technology
VP Application Development - eventpix.com
13653 West Park Dr
Magalia, Ca 95954
ph: 530.645.4040 x222 fax: 530.645.4040
[EMAIL PROTECTED] - [EMAIL PROTECTED]
http://bighead.net/ - http://eventpix.com/

On Jun 8, 2006, at 4:48 AM, Dale Graham wrote:


You can also pass UserReferenceArgument as a hidden argument,  
which drops it out of the URL...




I believe it must be in this form  <input type="hidden"  
name="_userReference" value="<@UserReferenceArgument>">




If I am in error on the format, someone on the list more  
knowledgeable can correct this .....


On Jun 7, 2006, at 12:09 PM, GEzra wrote:


Folks I'm dealing with do not like cookies, candies or anything  
sweet - spent a lot of time making sure that I was passing  
userref in the url to avoid cookies. I'm just gonna see if my isp  
can do something about their router, unless my xserve is doing  
this NAT, even though its turned off.



Thanks for your help on this Dave, William & Robert!


Ezra




On 2-Jun-06, at 4:23 AM, Robert Garcia wrote:



Yes, they are in the URI, you can see in the log:



_function=validate_user&_UserReference=58FA321F03B02D3E447F5B62



Remove userreference from URI, and only use cookies.


--
Robert Garcia
President - BigHead Technology
VP Application Development - eventpix.com
13653 West Park Dr
Magalia, Ca 95954
ph: 530.645.4040 x222 fax: 530.645.4040
[EMAIL PROTECTED] - [EMAIL PROTECTED]
http://bighead.net/ - http://eventpix.com/


On Jun 1, 2006, at 8:35 PM, William M Conlon wrote:



Are the userref's in the URI?  That would allow them to be shared.


Look in the archive on session hijacking.




On Jun 1, 2006, at 7:37 PM, GEzra wrote:



Hello all!



I looked at my witango log today and it seems like the same  
userreference was assigned to two different users, seconds  
apart while both were accessing diff. apps.




What's so odd is that the server address of xxx.xxx.xxx.xxx is  
being logged as the clients ip. How can this be?






01/06/2006 14:27:19 xxx.xxx.xxx.xxx  
[EMAIL PROTECTED] 25272320 1 1 [Application File]  
START /apps/login.taf WitangoServer  
_function=validate_user&_UserReference=58FA321F03B02D3E447F5B62
01/06/2006 14:27:44 xxx.xxx.xxx.xxx  
[EMAIL PROTECTED] 25310208 1 0 [Application File]  
START /apps/login.taf WitangoServer  
_function=validate_user&_UserReference=58FA321F03B02D3E447F5B62





Any ideas?


thanks,
Ezra

_________________________________________________________________ 
_______
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/ 
maillist.taf



Bill


William M. Conlon, P.E., Ph.D.
To the Point
345 California Avenue Suite 2
Palo Alto, CA 94306
   vox:  650.327.2175 (direct)
   fax:  650.329.8335
mobile:  650.906.9929
e-mail:  mailto:[EMAIL PROTECTED]
   web:  http://www.tothept.com



__________________________________________________________________ 
______
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/ 
maillist.taf




___________________________________________________________________ 
_____

TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf




____________________________________________________________________ 
____

TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf






_____________________________________________________________________ 
___ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/ 
maillist.taf



______________________________________________________________________ 
__ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf



______________________________________________________________________ 
__ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf


Bill

William M. Conlon, P.E., Ph.D.
To the Point
345 California Avenue Suite 2
Palo Alto, CA 94306
   vox:  650.327.2175 (direct)
   fax:  650.329.8335
mobile:  650.906.9929
e-mail:  mailto:[EMAIL PROTECTED]
   web:  http://www.tothept.com

________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf























					Reply via email to