[Kolab-devel] Re: steffen: server/kolab-webadmin/kolab-webadmin/www/admin/user user.php, 1.3, 1.4

Steffen Hansen steffen at klaralvdalens-datakonsult.se
Mon May 24 14:28:47 CEST 2004


On Monday 24 May 2004 14:03, Martin Konold wrote:
> Am Monday 24 May 2004 01:53 pm schrieb cvs at intevation.de:
>
> Hi Steffen,
>
> > reasonable default for homeServer. Check IP address when
> > authenticating to make it more difficult to hijack a session
>
> What are you doing here??!! The hijacking of the TCP/IP session is
> impossible with ssl secured https.

And pigs fly??!!...

There have been so many many security problems because of 
webapplications who don't check the remote address of the session or 
login cookie. SSL or not, there are buggy browsers, cross-site 
scripting in unoin with social engineering tactics etc., so IMO not 
having two lines of PHP code to check for the remote address of the 
client would be a bug.

regards
-- 
Steffen Hansen          |       Klarälvdalens Datakonsult AB
Senior Software Engineer|       http://www.klaralvdalens-datakonsult.se
                        |
                        |       Platform-independent
                        |       software solutions




More information about the devel mailing list