NAT'd IP's Re: [Seaside] Seaside session stealing
Igor Stasenko
siguctua at gmail.com
Wed Apr 22 03:32:05 UTC 2009
If one can sniff the TCP traffic between server and user, there is no
difference how you pass a session id - using cookies or unique URL -
because both can be extracted from packets.
I think that except SSL, there is no really secure solution.
2009/4/22 Nevin Pratt <nevin at bountifulbaby.com>:
>
>>
>> Please don't make the mistake of presuming "ip == user".
>>
>> You've already identified the case (behind a NAT) where many users share
>> the
>> same IP, but consider also the "walled garden" of AOL users, where the
>> same
>> user can come in from different IPs during a single session.
>>
>> You must allow for that.
>>
>>
>
> Are you sure we still have to allow for that? AOL made changes in late
> 2006:
>
> http://en.wikipedia.org/wiki/Wikipedia:AOL
>
> But, it really doesn't matter if AOL "walled gardens" are still a problem or
> not, because the NAT problem is still there. So, doing a simple IP check is
> still a problem anyway.
>
> Nevin
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
--
Best regards,
Igor Stasenko AKA sig.
More information about the seaside
mailing list