<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000"><p><font size=2 color=navy face=Arial>
WASessionProtector + Cookies + SSL? We recently passed a strict audit which deemed this solution to be just that, "good enough". There are no perfectly secure applications out there.<br>
<br>-Boris (via BlackBerry)</font></p>
<p><hr size=2 width="100%" align=center tabindex=-1>
<font face=Tahoma size=2>
<b>From</b>: seaside-bounces@lists.squeakfoundation.org <seaside-bounces@lists.squeakfoundation.org>
<br><b>To</b>: Seaside - general discussion <seaside@lists.squeakfoundation.org>
<br><b>Sent</b>: Tue Apr 21 20:58:54 2009<br><b>Subject</b>: Re: NAT'd IP's Re: [Seaside] Seaside session stealing
<br></font></p>
Yes, but sometimes there's a "good enough" solution. It depends on
your security needs.<br>
<br>
On my Seaside site, all that a security breach reveals is the postal
address of the person that got "breached". No financial data is
compromised. And, if a person is sophisticated enough to sniff the
packets, they are sophisticated enough to discover a person's postal
address some other way anyway (for example, by looking through a local
phone book).<br>
<br>
I don't know that SSL is needed for such a small security issue.<br>
<br>
But, if a normal user shares a URL with another normal user, it might
upset them to see the address of the first person on the website due to
a session hijacking.<br>
<br>
So, I just need to detect these simple cases, and handle it gracefully.<br>
<br>
Nevin<br>
<br>
<blockquote
cite="mid:4a5f5f320904212032m14821782k2071a3f1fd734e4a@mail.gmail.com"
type="cite">
<pre wrap="">If one can sniff the TCP traffic between server and user, there is no
difference how you pass a session id - using cookies or unique URL -
because both can be extracted from packets.
I think that except SSL, there is no really secure solution.
2009/4/22 Nevin Pratt <a class="moz-txt-link-rfc2396E" href="mailto:nevin@bountifulbaby.com"><nevin@bountifulbaby.com></a>:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Please don't make the mistake of presuming "ip == user".
You've already identified the case (behind a NAT) where many users share
the
same IP, but consider also the "walled garden" of AOL users, where the
same
user can come in from different IPs during a single session.
You must allow for that.
</pre>
</blockquote>
<pre wrap="">Are you sure we still have to allow for that? Â AOL made changes in late
2006:
  <a class="moz-txt-link-freetext" href="http://en.wikipedia.org/wiki/Wikipedia:AOL">http://en.wikipedia.org/wiki/Wikipedia:AOL</a>
But, it really doesn't matter if AOL "walled gardens" are still a problem or
not, because the NAT problem is still there. Â So, doing a simple IP check is
still a problem anyway.
Nevin
_______________________________________________
seaside mailing list
<a class="moz-txt-link-abbreviated" href="mailto:seaside@lists.squeakfoundation.org">seaside@lists.squeakfoundation.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside">http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside</a>
</pre>
</blockquote>
<pre wrap=""><!---->
</pre>
</blockquote>
<br>
</body>
</html>