NAT'd IP's Re: [Seaside] Seaside session stealing
siguctua at gmail.com
Wed Apr 22 03:32:05 UTC 2009
If one can sniff the TCP traffic between server and user, there is no
difference how you pass a session id - using cookies or unique URL -
because both can be extracted from packets.
I think that except SSL, there is no really secure solution.
2009/4/22 Nevin Pratt <nevin at bountifulbaby.com>:
>> Please don't make the mistake of presuming "ip == user".
>> You've already identified the case (behind a NAT) where many users share
>> same IP, but consider also the "walled garden" of AOL users, where the
>> user can come in from different IPs during a single session.
>> You must allow for that.
> Are you sure we still have to allow for that? AOL made changes in late
> But, it really doesn't matter if AOL "walled gardens" are still a problem or
> not, because the NAT problem is still there. So, doing a simple IP check is
> still a problem anyway.
> seaside mailing list
> seaside at lists.squeakfoundation.org
Igor Stasenko AKA sig.
More information about the seaside