<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Ross Boylan wrote:
<blockquote cite="mid:1241390149.19465.49.camel@corn.betterworld.us"
type="cite">
<pre wrap="">On Sun, 2009-05-03 at 12:42 -0600, Nevin Pratt wrote:
</pre>
<blockquote type="cite">
<pre wrap="">For your app, I'd consider making your entire site use SSL, and I'd
consider requiring cookies. I'd also consider configuring Seaside for
using cookies for the session key, plus use a secondary cookie for
additional "branding" of your login/logout process.
</pre>
</blockquote>
<pre wrap=""><!---->I think also I'd want to add the wrapper that only permits sessions to
use the original IP address.
Are there any hidden problems that my turn up with clients that are
NAT'd or using a proxy? I suppose a multi-homed client (more likely a
proxy) might randomly start using a different IP address.
I wasn't familiar with branding, but with Google's help I understand.
Thanks for mentioning it.
Thanks to everyone who responded.
Ross
</pre>
</blockquote>
<br>
A few weeks ago when I was testing what you are suggesting (only permit
sessions to use the original IP address), I found (for example) the
following in my log file, all associated to the same session:<br>
<br>
<blockquote>CurrentIP=205.188.116.142 LastIP=205.188.116.74 <br>
CurrentIP=205.188.116.16 LastIP=205.188.116.142 <br>
CurrentIP=205.188.116.73 LastIP=205.188.116.16 <br>
CurrentIP=205.188.117.11 LastIP=205.188.116.73 <br>
CurrentIP=205.188.116.72 LastIP=205.188.117.11 <br>
</blockquote>
<br>
Look at the sequence, and you can see that somebody was changing their
IP with every request.<br>
<br>
Now do a reverse IP lookup on any of those IP's, and what do you find?
<br>
<br>
<blockquote>205.188.116.142 resolves to<br>
"cache-dtc-ac13.proxy.aol.com"<br>
Top Level Domain: "aol.com"<br>
</blockquote>
So, I can confirm that AOL users will typically change their IP with
every request.<br>
<br>
And, AOL isn't the only ISP I found that does this.<br>
<br>
Yes, you certainly can use the wrapper that only permits sessions to
use the original IP address. But that will also *definitely* limit
your audience, of who can successfully use your website.<br>
<br>
I definitely would *not* do that with an eCommerce site. I don't think
I'd do it with a banking site, either. But I *might* do it for a
specialized web app that I had complete control over the clients,
though.<br>
<br>
I personally think that the wrapper that ties the sessions to only
their original IP is a rather worthless wrapper for the vast majority
of Seaside apps. But their is a very small subset of apps that it is a
good idea for, and I think would work well for. I'm just not sure if
your app is one of those.<br>
<br>
Nevin<br>
<br>
<br>
<br>
</body>
</html>