Mailing List Archive

--On Montag, 4. Oktober 2004 15:12 Uhr +0200 Lennart Regebro
<regebro@nuxeo.com> wrote:

> Many moons ago, it was discussed to protect sessions with the IP address.
> That would have the effect of not allowing a user to switch IP-adress
> mid-session (not a big problem) and thereby making session-theft via
> cookie-theft much harder.
>
> That together with my protected session-data object would make it
> extremely hard to break session-based authorization.


Is this protection optional or mandatory? If mandatory, then -1 because
there are enough organizations running load-balanced proxies where
the source IP can change from time to time.

-aj
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Andreas Jung wrote:
> Is this protection optional or mandatory? If mandatory, then -1 because
> there are enough organizations running load-balanced proxies where
> the source IP can change from time to time.

Nah, it should be optional of course. But default, I think.
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Lennart Regebro wrote:
> Many moons ago, it was discussed to protect sessions with the IP
> address. That would have the effect of not allowing a user to switch
> IP-adress mid-session (not a big problem) and thereby making
> session-theft via cookie-theft much harder.
>
> That together with my protected session-data object would make it
> extremely hard to break session-based authorization.
>
> This could easily be implemented for 2.8.

Not a blocker for an alpha, which was what this thread is about. If
somebody implements it before the beta feature freeze, and the
implementation doesn't cause problems, that would be fine (but note the
issues involved in large-scale sites, where Zope runs behind a cache, a
load-balancer, or another proxy).

Tres.
--
===============================================================
Tres Seaver tseaver@zope.com
Zope Corporation "Zope Dealers" http://www.zope.com

_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

--On Montag, 4. Oktober 2004 15:26 Uhr +0200 Lennart Regebro
<regebro@nuxeo.com> wrote:

> Andreas Jung wrote:
>> Is this protection optional or mandatory? If mandatory, then -1 because
>> there are enough organizations running load-balanced proxies where
>> the source IP can change from time to time.
>
> Nah, it should be optional of course. But default, I think.

That's fine with me.

-aj



_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Tres Seaver wrote:
> Not a blocker for an alpha, which was what this thread is about.

I agree, the thread just reminded me to bring this issue up.

> somebody implements it before the beta feature freeze, and the
> implementation doesn't cause problems, that would be fine (but note the
> issues involved in large-scale sites, where Zope runs behind a cache, a
> load-balancer, or another proxy).

Well, that should not be an issue if it is optional, right?
Otherwise somebody needs to explain the issues. ;)

//Lennart
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Hi,

On Mon, 2004-10-04 at 15:12, Lennart Regebro wrote:
> Many moons ago, it was discussed to protect sessions with the IP
> address. That would have the effect of not allowing a user to switch
> IP-adress mid-session (not a big problem) and thereby making
> session-theft via cookie-theft much harder.
>
> That together with my protected session-data object would make it
> extremely hard to break session-based authorization.
>
> This could easily be implemented for 2.8.
>
> Thoughts?

It would it even make extremly hard to use it as intended
in some situations :-)

Many big ISPs use a proxy farm so you are presented with
a lot of IP changes in the same session.

Session based via Cookie/Path should be good. Dont
rely on IP constantness.

Regards
Tino

_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Lennart Regebro wrote:
> Tres Seaver wrote:
>
>> Not a blocker for an alpha, which was what this thread is about.
>
>
> I agree, the thread just reminded me to bring this issue up.
>
>> somebody implements it before the beta feature freeze, and the
>> implementation doesn't cause problems, that would be fine (but note
>> the issues involved in large-scale sites, where Zope runs behind a
>> cache, a load-balancer, or another proxy).
>
>
> Well, that should not be an issue if it is optional, right?
> Otherwise somebody needs to explain the issues. ;)

Mostly, just to have the potential issues explained in the docs
(particularly the comments for the default config file entry).

Tres.
--
===============================================================
Tres Seaver tseaver@zope.com
Zope Corporation "Zope Dealers" http://www.zope.com
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders