<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Yes, but sometimes there's a "good enough" solution. It depends on
your security needs.<br>
<br>
On my Seaside site, all that a security breach reveals is the postal
address of the person that got "breached". No financial data is
compromised. And, if a person is sophisticated enough to sniff the
packets, they are sophisticated enough to discover a person's postal
address some other way anyway (for example, by looking through a local
phone book).<br>
<br>
I don't know that SSL is needed for such a small security issue.<br>
<br>
But, if a normal user shares a URL with another normal user, it might
upset them to see the address of the first person on the website due to
a session hijacking.<br>
<br>
So, I just need to detect these simple cases, and handle it gracefully.<br>
<br>
Nevin<br>
<br>
<blockquote
cite="mid:4a5f5f320904212032m14821782k2071a3f1fd734e4a@mail.gmail.com"
type="cite">
<pre wrap="">If one can sniff the TCP traffic between server and user, there is no
difference how you pass a session id - using cookies or unique URL -
because both can be extracted from packets.
I think that except SSL, there is no really secure solution.
2009/4/22 Nevin Pratt <a class="moz-txt-link-rfc2396E" href="mailto:nevin@bountifulbaby.com"><nevin@bountifulbaby.com></a>:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Please don't make the mistake of presuming "ip == user".
You've already identified the case (behind a NAT) where many users share
the
same IP, but consider also the "walled garden" of AOL users, where the
same
user can come in from different IPs during a single session.
You must allow for that.
</pre>
</blockquote>
<pre wrap="">Are you sure we still have to allow for that? Â AOL made changes in late
2006:
  <a class="moz-txt-link-freetext" href="http://en.wikipedia.org/wiki/Wikipedia:AOL">http://en.wikipedia.org/wiki/Wikipedia:AOL</a>
But, it really doesn't matter if AOL "walled gardens" are still a problem or
not, because the NAT problem is still there. Â So, doing a simple IP check is
still a problem anyway.
Nevin
_______________________________________________
seaside mailing list
<a class="moz-txt-link-abbreviated" href="mailto:seaside@lists.squeakfoundation.org">seaside@lists.squeakfoundation.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside">http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside</a>
</pre>
</blockquote>
<pre wrap=""><!---->
</pre>
</blockquote>
<br>
</body>
</html>