NAT'd IP's Re: [Seaside] Seaside session stealing
Randal L. Schwartz
merlyn at stonehenge.com
Wed Apr 22 01:01:19 UTC 2009
>>>>> "Nevin" == Nevin Pratt <nevin at bountifulbaby.com> writes:
Nevin> 2. If we don't get a proper "remember me" cookie back from the user, then
Nevin> check to see if cookies are enabled in the user's browser. If they are not
Nevin> even enabled, then default to an IP check-- if the IP is the same, consider
Nevin> that the session is NOT stolen.
Please don't make the mistake of presuming "ip == user".
You've already identified the case (behind a NAT) where many users share the
same IP, but consider also the "walled garden" of AOL users, where the same
user can come in from different IPs during a single session.
You must allow for that.
In general, IP-based checks are broken. Don't rely on them.
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn at stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion
More information about the seaside