[Kolab-devel] Re: steffen: server/kolab-webadmin/kolab-webadmin/www/admin/user user.php, 1.3, 1.4
Martin Konold
martin.konold at erfrakon.de
Mon May 24 18:36:52 CEST 2004
Am Monday 24 May 2004 02:28 pm schrieb Steffen Hansen:
Hi,
> > What are you doing here??!! The hijacking of the TCP/IP session is
> > impossible with ssl secured https.
>
> And pigs fly??!!...
>
> There have been so many many security problems because of
> webapplications who don't check the remote address of the session or
> login cookie.
I am not aware of any https secured application which prevented hijacking with
checking the remote IP.
> SSL or not, there are buggy browsers
If the browser of the user allows for hijacking due to a buggy browser
implementation then your approach does not help anything. The attacker would
be able to take over the connection anyway.
> , cross-site scripting
How does checking the remote IP prevent cross-site scripting?
> in unoin with social engineering tactics
I also fail to understand how checking the IP prevents against social
engineering tactics .
> etc., so IMO not
> having two lines of PHP code to check for the remote address of the
> client would be a bug.
Well, if it does not hurt.... (I doubt that there is any gain though)
BTW: There are legitimate cases where the IP might change rightfully!
Yours,
-- martin
Dipl.-Phys. Martin Konold
e r f r a k o n
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Nobelstrasse 15, 70569 Stuttgart, Germany
fon: 0711 67400963, fax: 0711 67400959
email: martin.konold at erfrakon.de
More information about the devel
mailing list