NAT'd IP's Re: [Seaside] Seaside session stealing

Boris Popov boris at
Wed Apr 22 04:26:28 UTC 2009

WASessionProtector + Cookies + SSL? We recently passed a strict audit which deemed this solution to be just that, "good enough". There are no perfectly secure applications out there.

-Boris (via BlackBerry)


From: seaside-bounces at 
To: Seaside - general discussion 
Sent: Tue Apr 21 20:58:54 2009
Subject: Re: NAT'd IP's Re: [Seaside] Seaside session stealing 

Yes, but sometimes there's a "good enough" solution.  It depends on your security needs.

On my Seaside site, all that a security breach reveals is the postal address of the person that got "breached".  No financial data is compromised.  And, if a person is sophisticated enough to sniff the packets, they are sophisticated enough to discover a person's postal address some other way anyway (for example, by looking through a local phone book).

I don't know that SSL is needed for such a small security issue.

But, if a normal user shares a URL with another normal user, it might upset them to see the address of the first person on the website due to a session hijacking.

So, I just need to detect these simple cases, and handle it gracefully.


	If one can sniff the TCP traffic between server and user, there is no
	difference how you pass a session id - using cookies or unique URL -
	because both can be extracted from packets.
	I think that except SSL, there is no really secure solution.
	2009/4/22 Nevin Pratt <nevin at> <mailto:nevin at> :

			Please don't make the mistake of presuming "ip == user".
			You've already identified the case (behind a NAT) where many users share
			same IP, but consider also the "walled garden" of AOL users, where the
			user can come in from different IPs during a single session.
			You must allow for that.

		Are you sure we still have to allow for that? Â AOL made changes in late
		Â  Â
		But, it really doesn't matter if AOL "walled gardens" are still a problem or
		not, because the NAT problem is still there. Â So, doing a simple IP check is
		still a problem anyway.
		seaside mailing list
		seaside at


-------------- next part --------------
An HTML attachment was scrubbed...

More information about the seaside mailing list