[Kolab-devel] Re: steffen: server/kolab-webadmin/kolab-webadmin/www/admin/user user.php, 1.3, 1.4

Martin Konold martin.konold at erfrakon.de
Mon May 24 18:36:52 CEST 2004


Am Monday 24 May 2004 02:28 pm schrieb Steffen Hansen:

Hi,

> > What are you doing here??!! The hijacking of the TCP/IP session is
> > impossible with ssl secured https.
>
> And pigs fly??!!...
>
> There have been so many many security problems because of
> webapplications who don't check the remote address of the session or
> login cookie.

I am not aware of any https secured application which prevented hijacking with 
checking the remote IP.

> SSL or not, there are buggy browsers

If the browser of the user allows for hijacking due to a buggy browser 
implementation then your approach does not help anything. The attacker would 
be able to take over the connection anyway.

> , cross-site  scripting 

How does checking the remote IP prevent cross-site  scripting?

> in unoin with social engineering tactics 

I also fail to understand how checking the IP prevents against social 
engineering tactics .

> etc., so IMO not  
> having two lines of PHP code to check for the remote address of the
> client would be a bug.

Well, if it does not hurt.... (I doubt that there is any gain though)

BTW: There are legitimate cases where the IP might change rightfully!

Yours,
-- martin

Dipl.-Phys. Martin Konold

e r f r a k o n
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Nobelstrasse 15, 70569 Stuttgart, Germany
fon: 0711 67400963, fax: 0711 67400959
email: martin.konold at erfrakon.de




More information about the devel mailing list