NAT'd IP's Re: [Seaside] Seaside session stealing

Nevin Pratt nevin at bountifulbaby.com
Wed Apr 22 03:58:54 UTC 2009 

Yes, but sometimes there's a "good enough" solution.  It depends on your 
security needs.

On my Seaside site, all that a security breach reveals is the postal 
address of the person that got "breached".  No financial data is 
compromised.  And, if a person is sophisticated enough to sniff the 
packets, they are sophisticated enough to discover a person's postal 
address some other way anyway (for example, by looking through a local 
phone book).

I don't know that SSL is needed for such a small security issue.

But, if a normal user shares a URL with another normal user, it might 
upset them to see the address of the first person on the website due to 
a session hijacking.

So, I just need to detect these simple cases, and handle it gracefully.

Nevin

> If one can sniff the TCP traffic between server and user, there is no
> difference how you pass a session id - using cookies or unique URL -
> because both can be extracted from packets.
> I think that except SSL, there is no really secure solution.
>
>
> 2009/4/22 Nevin Pratt <nevin at bountifulbaby.com>:
>   
>>> Please don't make the mistake of presuming "ip == user".
>>>
>>> You've already identified the case (behind a NAT) where many users share
>>> the
>>> same IP, but consider also the "walled garden" of AOL users, where the
>>> same
>>> user can come in from different IPs during a single session.
>>>
>>> You must allow for that.
>>>
>>>
>>>       
>> Are you sure we still have to allow for that? Â AOL made changes in late
>> 2006:
>>
>> Â  Â  http://en.wikipedia.org/wiki/Wikipedia:AOL
>>
>> But, it really doesn't matter if AOL "walled gardens" are still a problem or
>> not, because the NAT problem is still there. Â So, doing a simple IP check is
>> still a problem anyway.
>>
>> Nevin
>> _______________________________________________
>> seaside mailing list
>> seaside at lists.squeakfoundation.org
>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>>
>>     
>
>
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.squeakfoundation.org/pipermail/seaside/attachments/20090421/2d1461f2/attachment-0001.htm

More information about the seaside mailing list