[Kolab-devel] Re: steffen: server/kolab-webadmin/kolab-webadmin/www/admin/user user.php, 1.3, 1.4
Martin Konold
martin.konold at erfrakon.de
Tue May 25 12:36:51 CEST 2004
Am Tuesday 25 May 2004 11:37 am schrieb Bernhard Reiter:
Hi Bernhard,
> If there are security implications we should base
> it on arguments.
Excactly!
> As far as I understood it, Steffen is right in that
> an IP should not change during a session and protecting
> against this is a small added security measure.
Your assumption is wrong. There are _legitimate_(*) changes of the source
address during a http session(**).
As mentioned before there is not a single case where this extra code really
helps to defend against a real attack but it breaks legitimate use cases.
My conclusion: Wrong solution to the wrong problem.
Yours,
-- martin
(*) Roaming Setups, DHCP clients, load balancing web proxies, redundant ISP
links.....
(**) Please note that http is in contrast to popular believe not based on
persistent connections!
Dipl.-Phys. Martin Konold
e r f r a k o n
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Nobelstrasse 15, 70569 Stuttgart, Germany
fon: 0711 67400963, fax: 0711 67400959
email: martin.konold at erfrakon.de
More information about the devel
mailing list