NAT'd IP's Re: [Seaside] Seaside session stealing
nevin at bountifulbaby.com
Wed Apr 22 03:58:54 UTC 2009
Yes, but sometimes there's a "good enough" solution. It depends on your
On my Seaside site, all that a security breach reveals is the postal
address of the person that got "breached". No financial data is
compromised. And, if a person is sophisticated enough to sniff the
packets, they are sophisticated enough to discover a person's postal
address some other way anyway (for example, by looking through a local
I don't know that SSL is needed for such a small security issue.
But, if a normal user shares a URL with another normal user, it might
upset them to see the address of the first person on the website due to
a session hijacking.
So, I just need to detect these simple cases, and handle it gracefully.
> If one can sniff the TCP traffic between server and user, there is no
> difference how you pass a session id - using cookies or unique URL -
> because both can be extracted from packets.
> I think that except SSL, there is no really secure solution.
> 2009/4/22 Nevin Pratt <nevin at bountifulbaby.com>:
>>> Please don't make the mistake of presuming "ip == user".
>>> You've already identified the case (behind a NAT) where many users share
>>> same IP, but consider also the "walled garden" of AOL users, where the
>>> user can come in from different IPs during a single session.
>>> You must allow for that.
>> Are you sure we still have to allow for that? Â AOL made changes in late
>> Â Â http://en.wikipedia.org/wiki/Wikipedia:AOL
>> But, it really doesn't matter if AOL "walled gardens" are still a problem or
>> not, because the NAT problem is still there. Â So, doing a simple IP check is
>> still a problem anyway.
>> seaside mailing list
>> seaside at lists.squeakfoundation.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the seaside