<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Sorry to follow up to my own post, but obviously a simple IP check
doesn't work for multiple users behind the same router, whose IP got
NAT'd to all be the same IP.<br>
<br>
So, I'm still thinking a combination of a "remember me" cookie, and an
IP check, is still needed. But I accidentally reversed their order in
my post below. Here it is again, in proper order:<br>
<br>
1. Check for a "remember me" cookie. If a
proper "remember me" cookie exists, then the session is NOT stolen.<br>
<br>
2. If we don't get a proper "remember me" cookie back from the user,
then check to see if cookies are enabled in the user's browser. If
they are not even enabled, then default to an IP check-- if the IP is
the same, consider that the session is NOT stolen.<br>
<br>
3. If the above two checks fail, then assume the session is stolen.<br>
<br>
The hole in the above, though, is users whose IP is being NAT'd, *and*
have cookies turned off, could hijack sessions between each other.
But, for non-banking, non-financial data, this is probably secure
enough, and lets the website reach the widest audience, whether they
have cookies enabled or not.<br>
<br>
At least, that's my thought.<br>
<br>
Nevin<br>
<br>
<blockquote cite="mid:49EE6559.3000303@bountifulbaby.com" type="cite">Hi
everyone,<br>
<br>
Seaside sessions can be "stolen" with something as simple as user's
sharing a URL (one person emailing a URL to another person, for
example). There are various ways to guard against this problem. This
email is a discussion of some of those ways.<br>
<br>
The obvious (non)solution is to configure Seaside to use cookies for
the session data. The reason I say it is a *non*-solution is because
users cannot have more than one window open to your website with this
method, because the cookie is shared with all windows of the browser.
Also, some users have browser cookies turned off, thereby cutting off
all access to a Seaside website that is using session cookies.<br>
<br>
Another idea is to look at the IP of the user. But, at one time, AOL
users (using AOL's proxy servers) would often have their IP changed
with (potentially) *every* request, thus making it completely
unpractical to rely on the user's IP.<br>
<br>
However, in late 2006, AOL agreed to send <i>X-Forwarded-For</i>
headers, which now are supposed to accurately identify AOL users' home
IP addresses. Here is a Wikipedia reference for more information on
this:<br>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://en.wikipedia.org/wiki/Wikipedia:AOL">http://en.wikipedia.org/wiki/Wikipedia:AOL</a><br>
<br>
With this change in AOL, I am thinking that *maybe* it is now practical
to guard against Seaside session stealing via simple IP checks, with
something like the following code:<br>
<br>
<br>
<tt> | currentAccessIP |<br>
currentAccessIP := self session currentRequest nativeRequest <br>
headerAt: 'x-forwarded-for'<br>
ifAbsent: [].<br>
currentAccessIP ~= lastClientAccessIP ifTrue: ["the Seaside session
has been stolen"].<br>
</tt><br>
<br>
(obviously "<tt>lastClientAccessIP</tt>" would have had to have already
been set, via the user's very first hit to the website)<br>
<br>
<br>
But I'm not sure if this would be sufficient. That's my question to
everyone-- do you think IP checks can now be relied upon to guard
against session stealing, or not?<br>
<br>
I've looked at some PHP code that approached the session-stealing
problem with a simple "remember me" cookie. The "remember me" cookie
is uniquely set when the user first starts interacting with the
website, and then if a subsequent request does not have the cookie, the
session is deemed to have been stolen. But, obviously this approach
does not work for users that turn cookies off.<br>
<br>
Another approach I've wondered about (and seems quite secure) is the
following:<br>
<br>
1. Use an IP check-- if the IP is the same, the session is NOT stolen.<br>
<br>
2. If the IP is different, then check for a "remember me" cookie. If a
proper "remember me" cookie exists, then the session is NOT stolen.<br>
<br>
3. If the above two checks fail, then assume the session is stolen.<br>
<br>
But I'm not sure if something that elaborate is really needed any
more. I'm thinking that possibly a simple IP check will suffice these
days. But I'm scared to try only doing an IP check, and nothing else
:-) :-)<br>
<br>
Does anybody else have any thoughts on this?<br>
<br>
Nevin<br>
<br>
<br>
<br>
<br>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
seaside mailing list
<a class="moz-txt-link-abbreviated" href="mailto:seaside@lists.squeakfoundation.org">seaside@lists.squeakfoundation.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside">http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside</a>
</pre>
</blockquote>
<br>
</body>
</html>