[Kolab-devel] Re: steffen: server/kolab-webadmin/kolab-webadmin/www/admin/user user.php, 1.3, 1.4

Steffen Hansen steffen at klaralvdalens-datakonsult.se
Mon May 24 21:17:49 CEST 2004


On Monday 24 May 2004 18:36, Martin Konold wrote:

> I am not aware of any https secured application which prevented
> hijacking with checking the remote IP.

This has nothing to do with TCP hijacking, it has to do with another 
user stealing the login cookie and being able to use this as a 
universal key to access the users account from all over the world.

> > , cross-site  scripting
>
> How does checking the remote IP prevent cross-site  scripting?

No, but it prevents the scripter from getting a cookie he can use freely 
to assume the targets identity.

> > in unoin with social engineering tactics
>
> I also fail to understand how checking the IP prevents against social
> engineering tactics .

"Type in this, do that, etc." => users login cookie is given to 
intruder. By checking the IP he at least needs to assume the same IP 
address as the computer he attacks.

> > etc., so IMO not
> > having two lines of PHP code to check for the remote address of the
> > client would be a bug.
>
> Well, if it does not hurt.... (I doubt that there is any gain though)

It doesn't make or break the system, but enhances security. It is silly 
not to do it, and this discussion is getting silly. 

There are of course other things we could also do to further protect the 
users session, but the effort is bigger.

> BTW: There are legitimate cases where the IP might change rightfully!

Not in the middle of a session. If this happens, I'd prefer if the user 
has to log in again.

-- 
Steffen Hansen          |       Klarälvdalens Datakonsult AB
Senior Software Engineer|       http://www.klaralvdalens-datakonsult.se
                        |
                        |       Platform-independent
                        |       software solutions




More information about the devel mailing list