--- In [EMAIL PROTECTED], Chris McDonough <[EMAIL PROTECTED]> wrote:
> I suppose I could implement something like this (encode the IP 
> into the token) and provide a knob to turn it on and off on 
the id
> manager.  I'm not going to do this for the first iteration, I 
need to
> get it working first.  :-)
> Steve Spicklemire wrote:
> > 
> > I forget now where I saw this.... but one of the session 
managers I looked
> > at once checked the IP address of the visitor to make sure 
it was the
> > same for the entire session, or longer. This at least makes 
it much harder
> > to hijack a session, even though it means that long-lived 
cookies might
> > be fooled as a user gets a new dynamic IP address...

I think WebHub is using the IP address. WebHub is a product 
built and working witrh Delphi. I tried to find where they 
mention it on their website (http://www.webhub.com) but could 
not find it.

In fact, if I remember well the server remembers the IP address 
(instead of crunching it into the id) and check the 
correspondence between the session id and the IP address when 
answering request.

I was told that some ISP change your IP address during a 
connection but never took the time to check if it is true.
> > 
> > -steve
> > 
> > >>>>> "Chris" == Chris McDonough <[EMAIL PROTECTED]> writes:
> > 
> >     Chris> Session tokens, AFAICT, cannot be secured.  They 
can only
> >     Chris> be obfuscated, which mitigates the risk that they 
will be
> >     Chris> guessed.  However, there's no way to completely 
> >     Chris> them, no matter how many MD5 hashing algorithms 
you run on
> >     Chris> them.  If a session token is stolen, that's the 
key that
> >     Chris> the "attacker" needs to visit the website "as 
you".  I've
> >     Chris> addressed this in the implementation by giving 
the session
> >     Chris> token a random element, and this mitigates a 
> >     Chris> attack, but not a theft attack.
> -- 
> Chris McDonough
> Digital Creations, Publishers of Zope
> http://www.zope.org


Godefroid Chapelle

BubbleNet sprl
rue Victor Horta 30
1348 Louvain-la-Neuve 

This mail sent through SwinG Webmail: http://mail.swing.be 

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to