[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-modperl
Subject: Re: Authentication logic [was: Changing browser URL based on condition]
From: Adam Prime <adam.prime () utoronto ! ca>
Date: 2011-07-17 13:21:31
Message-ID: 4E22E1DB.8040304 () utoronto ! ca
[Download RAW message or body]
On 7/17/2011 1:16 AM, Phil Van wrote:
> Back to Vincent's original request about session id and login: how
> secure is your session id? Have you signed it? If not, someone can try
> to sending random IDs and break your authentication.
>
> Well, if you sign it and sign it properly, you basically end up with the
> same idea in those "Authen + Ticket + Gate" CPAN modules. Besides a time
> stamp, you should also sign with user's IP. If the cookie is stolen,
> the origin of IP may protect as the last hope.
Tying a session to an IP can be bad if you use a CDN, or you have
clients that are behind big multihomed transparent proxies. AOL users
in particular used to come from various IP's during a single session.
Adam
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic