NAT'd IP's Re: [Seaside] Seaside session stealing
Boris Popov
boris at deepcovelabs.com
Wed Apr 22 04:26:28 UTC 2009
WASessionProtector + Cookies + SSL? We recently passed a strict audit which deemed this solution to be just that, "good enough". There are no perfectly secure applications out there.
-Boris (via BlackBerry)
________________________________
From: seaside-bounces at lists.squeakfoundation.org
To: Seaside - general discussion
Sent: Tue Apr 21 20:58:54 2009
Subject: Re: NAT'd IP's Re: [Seaside] Seaside session stealing
Yes, but sometimes there's a "good enough" solution. It depends on your security needs.
On my Seaside site, all that a security breach reveals is the postal address of the person that got "breached". No financial data is compromised. And, if a person is sophisticated enough to sniff the packets, they are sophisticated enough to discover a person's postal address some other way anyway (for example, by looking through a local phone book).
I don't know that SSL is needed for such a small security issue.
But, if a normal user shares a URL with another normal user, it might upset them to see the address of the first person on the website due to a session hijacking.
So, I just need to detect these simple cases, and handle it gracefully.
Nevin
If one can sniff the TCP traffic between server and user, there is no
difference how you pass a session id - using cookies or unique URL -
because both can be extracted from packets.
I think that except SSL, there is no really secure solution.
2009/4/22 Nevin Pratt <nevin at bountifulbaby.com> <mailto:nevin at bountifulbaby.com> :
Please don't make the mistake of presuming "ip == user".
You've already identified the case (behind a NAT) where many users share
the
same IP, but consider also the "walled garden" of AOL users, where the
same
user can come in from different IPs during a single session.
You must allow for that.
Are you sure we still have to allow for that? Â AOL made changes in late
2006:
  http://en.wikipedia.org/wiki/Wikipedia:AOL
But, it really doesn't matter if AOL "walled gardens" are still a problem or
not, because the NAT problem is still there. Â So, doing a simple IP check is
still a problem anyway.
Nevin
_______________________________________________
seaside mailing list
seaside at lists.squeakfoundation.org
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.squeakfoundation.org/pipermail/seaside/attachments/20090421/6b435f65/attachment.htm
More information about the seaside
mailing list