NAT'd IP's Re: [Seaside] Seaside session stealing

Nevin Pratt nevin at
Wed Apr 22 03:58:54 UTC 2009

Yes, but sometimes there's a "good enough" solution.  It depends on your 
security needs.

On my Seaside site, all that a security breach reveals is the postal 
address of the person that got "breached".  No financial data is 
compromised.  And, if a person is sophisticated enough to sniff the 
packets, they are sophisticated enough to discover a person's postal 
address some other way anyway (for example, by looking through a local 
phone book).

I don't know that SSL is needed for such a small security issue.

But, if a normal user shares a URL with another normal user, it might 
upset them to see the address of the first person on the website due to 
a session hijacking.

So, I just need to detect these simple cases, and handle it gracefully.


> If one can sniff the TCP traffic between server and user, there is no
> difference how you pass a session id - using cookies or unique URL -
> because both can be extracted from packets.
> I think that except SSL, there is no really secure solution.
> 2009/4/22 Nevin Pratt <nevin at>:
>>> Please don't make the mistake of presuming "ip == user".
>>> You've already identified the case (behind a NAT) where many users share
>>> the
>>> same IP, but consider also the "walled garden" of AOL users, where the
>>> same
>>> user can come in from different IPs during a single session.
>>> You must allow for that.
>> Are you sure we still have to allow for that? Â AOL made changes in late
>> 2006:
>> Â  Â
>> But, it really doesn't matter if AOL "walled gardens" are still a problem or
>> not, because the NAT problem is still there. Â So, doing a simple IP check is
>> still a problem anyway.
>> Nevin
>> _______________________________________________
>> seaside mailing list
>> seaside at

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the seaside mailing list