[Seaside] Security

Nevin Pratt nevin at bountifulbaby.com
Mon May 4 00:19:24 UTC 2009


Ross Boylan wrote:
> On Sun, 2009-05-03 at 12:42 -0600, Nevin Pratt wrote:
>   
>> For your app, I'd consider making your entire site use SSL, and I'd
>> consider requiring cookies.  I'd also consider configuring Seaside for
>> using cookies for the session key, plus use a secondary cookie for
>> additional "branding" of your login/logout process.
>>     
> I think also I'd want to add the wrapper that only permits sessions to
> use the original IP address.
>
> Are there any hidden problems that my turn up with clients that are
> NAT'd or using a proxy?  I suppose a multi-homed client (more likely a
> proxy) might randomly start using a different IP address.
>
> I wasn't familiar with branding, but with Google's help I understand.
> Thanks for mentioning it.
>
> Thanks to everyone who responded.
>
> Ross
>
>   

A few weeks ago when I was testing what you are suggesting (only permit 
sessions to use the original IP address), I found (for example) the 
following in my log file, all associated to the same session:

    CurrentIP=205.188.116.142 LastIP=205.188.116.74
    CurrentIP=205.188.116.16 LastIP=205.188.116.142
    CurrentIP=205.188.116.73 LastIP=205.188.116.16
    CurrentIP=205.188.117.11 LastIP=205.188.116.73
    CurrentIP=205.188.116.72 LastIP=205.188.117.11


Look at the sequence, and you can see that somebody was changing their 
IP with every request.

Now do a reverse IP lookup on any of those IP's, and what do you find? 

    205.188.116.142 resolves to
    "cache-dtc-ac13.proxy.aol.com"
    Top Level Domain: "aol.com"

So, I can confirm that AOL users will typically change their IP with 
every request.

And, AOL isn't the only ISP I found that does this.

Yes, you certainly can use the wrapper that only permits sessions to use 
the original IP address.  But that will also *definitely* limit your 
audience, of who can successfully use your website.

I definitely would *not* do that with an eCommerce site.  I don't think 
I'd do it with a banking site, either.  But I *might* do it for a 
specialized web app that I had complete control over the clients, though.

I personally think that the wrapper that ties the sessions to only their 
original IP is a rather worthless wrapper for the vast majority of 
Seaside apps.  But their is a very small subset of apps that it is a 
good idea for, and I think would work well for.  I'm just not sure if 
your app is one of those.

Nevin



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.squeakfoundation.org/pipermail/seaside/attachments/20090503/c76de803/attachment.htm


More information about the seaside mailing list