[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-modperl
Subject:    Re: Authentication logic [was: Changing browser URL based on condition]
From:       Adam Prime <adam.prime () utoronto ! ca>
Date:       2011-07-17 13:21:31
Message-ID: 4E22E1DB.8040304 () utoronto ! ca
[Download RAW message or body]

On 7/17/2011 1:16 AM, Phil Van wrote:
> Back to Vincent's original request about session id and login: how
> secure is your session id? Have you signed it? If not, someone can try
> to sending random IDs and break your authentication.
>
> Well, if you sign it and sign it properly, you basically end up with the
> same idea in those "Authen + Ticket + Gate" CPAN modules. Besides a time
> stamp, you should also sign with user's IP.  If the cookie is stolen,
> the origin of IP may protect as the last hope.

Tying a session to an IP can be bad if you use a CDN, or you have 
clients that are behind big multihomed transparent proxies.  AOL users 
in particular used to come from various IP's during a single session.

Adam
[prev in list] [next in list] [prev in thread] [next in thread]