[Kolab-devel] Re: steffen: server/kolab-webadmin/kolab-webadmin/www/admin/user user.php, 1.3, 1.4
Steffen Hansen
steffen at klaralvdalens-datakonsult.se
Mon May 24 21:17:49 CEST 2004
On Monday 24 May 2004 18:36, Martin Konold wrote:
> I am not aware of any https secured application which prevented
> hijacking with checking the remote IP.
This has nothing to do with TCP hijacking, it has to do with another
user stealing the login cookie and being able to use this as a
universal key to access the users account from all over the world.
> > , cross-site scripting
>
> How does checking the remote IP prevent cross-site scripting?
No, but it prevents the scripter from getting a cookie he can use freely
to assume the targets identity.
> > in unoin with social engineering tactics
>
> I also fail to understand how checking the IP prevents against social
> engineering tactics .
"Type in this, do that, etc." => users login cookie is given to
intruder. By checking the IP he at least needs to assume the same IP
address as the computer he attacks.
> > etc., so IMO not
> > having two lines of PHP code to check for the remote address of the
> > client would be a bug.
>
> Well, if it does not hurt.... (I doubt that there is any gain though)
It doesn't make or break the system, but enhances security. It is silly
not to do it, and this discussion is getting silly.
There are of course other things we could also do to further protect the
users session, but the effort is bigger.
> BTW: There are legitimate cases where the IP might change rightfully!
Not in the middle of a session. If this happens, I'd prefer if the user
has to log in again.
--
Steffen Hansen | Klarälvdalens Datakonsult AB
Senior Software Engineer| http://www.klaralvdalens-datakonsult.se
|
| Platform-independent
| software solutions
More information about the devel
mailing list