[Seaside] Security

Nevin Pratt nevin at bountifulbaby.com
Mon May 4 00:19:24 UTC 2009

Ross Boylan wrote:
> On Sun, 2009-05-03 at 12:42 -0600, Nevin Pratt wrote:
>> For your app, I'd consider making your entire site use SSL, and I'd
>> consider requiring cookies.  I'd also consider configuring Seaside for
>> using cookies for the session key, plus use a secondary cookie for
>> additional "branding" of your login/logout process.
> I think also I'd want to add the wrapper that only permits sessions to
> use the original IP address.
> Are there any hidden problems that my turn up with clients that are
> NAT'd or using a proxy?  I suppose a multi-homed client (more likely a
> proxy) might randomly start using a different IP address.
> I wasn't familiar with branding, but with Google's help I understand.
> Thanks for mentioning it.
> Thanks to everyone who responded.
> Ross

A few weeks ago when I was testing what you are suggesting (only permit 
sessions to use the original IP address), I found (for example) the 
following in my log file, all associated to the same session:

    CurrentIP= LastIP=
    CurrentIP= LastIP=
    CurrentIP= LastIP=
    CurrentIP= LastIP=
    CurrentIP= LastIP=

Look at the sequence, and you can see that somebody was changing their 
IP with every request.

Now do a reverse IP lookup on any of those IP's, and what do you find? resolves to
    Top Level Domain: "aol.com"

So, I can confirm that AOL users will typically change their IP with 
every request.

And, AOL isn't the only ISP I found that does this.

Yes, you certainly can use the wrapper that only permits sessions to use 
the original IP address.  But that will also *definitely* limit your 
audience, of who can successfully use your website.

I definitely would *not* do that with an eCommerce site.  I don't think 
I'd do it with a banking site, either.  But I *might* do it for a 
specialized web app that I had complete control over the clients, though.

I personally think that the wrapper that ties the sessions to only their 
original IP is a rather worthless wrapper for the vast majority of 
Seaside apps.  But their is a very small subset of apps that it is a 
good idea for, and I think would work well for.  I'm just not sure if 
your app is one of those.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.squeakfoundation.org/pipermail/seaside/attachments/20090503/c76de803/attachment.htm

More information about the seaside mailing list