Re: User authentication over the web (was: Secure Password in database)

From: Robie Basak (r.basak@cs.man.ac.uk)
Date: 09/08/01 

Date: Sat, 8 Sep 2001 00:10:31 +0100
From: Robie Basak <r.basak@cs.man.ac.uk>
To: secprog@securityfocus.com
Subject: Re: User authentication over the web (was: Secure Password in database)
Message-ID: <20010908001030.A1053@cs.man.ac.uk>

On Fri, Sep 07, 2001 at 05:28:06PM -0400, Rossen Raykov wrote:

[...]

> Putting the IP address in the session is not a good idea!
> What about multi-parent and multi-sibling proxy servers?

Good point. I stand corrected :)

A couple of thoughts, though you're still right and this doesn't help.

It'd be nice if proxy servers in that kind of setup arranged to use the
same originating IP for the same client IP. Is there any reason not to?
Of course, that's a client-side issue and the server software author has
no control over it.

Second, clients may typically keep a persistent connection open with the
server, which would keep the originating IP the same. Again, in practice
this can't be relied upon :-(

Also, a very evil hack, which probably won't work very well: allow IPs
in the same /24 or /16 subnet. A Bad Thing to do, I think.

But then the problem remains; someone could grab a session id off
someone's URL if it's propogated that way and use it :-(

Robie.

Relevant Pages

  • Re: [PHP] Re: a question on session ID and security
    ... hash key" to the client when it doesn't need it? ... But by doing that you're exposing how your app validates the authentication key, leaving it open to being transferred to another machine. ... tutorial on PHP session security is helpful. ...
    (php.general)
  • RE: ISA 2004 Firewall client
    ... The green arrow only shows up when the client needs to initiate a ... firewall session. ... Part 3: I want to explain How the logs and sessions work: ... Collect the ISA firewall client configuration information ...
    (microsoft.public.windows.server.sbs)
  • Re: PHP & MySQ + unique keys
    ... :>> I'm trying to write a system thats used for about 50 clients that uses ... The problem is that when a client ... :>> when you refresh the page that the unique key is incremented as you ... session is using. ...
    (comp.lang.php)
  • Re: Database design
    ... Is each session related to a client? ... Yes, each session is related to a single client, or so I anticipate. ... (fsubSession and fsubProduct) ...
    (microsoft.public.access.tablesdbdesign)
  • Re: RDP Printing by station
    ... For example, port 3389 would have print redirection enabled, whereas port 3390 would have print redirection disabled. ... I am not sure this is a possible solution anymore, because you said that there would be printing to not only redirected printers but network printers as well. ... In this case, the user could originally connect from an ip that is permitted, disconnect their session, and reconnect from an ip that is not permitted. ... Your client software would use this channel to send the local MAC address to your server software. ...
    (microsoft.public.windows.terminal_services)