Re: User authentication over the web (was: Secure Password in database)
From: Jacob Kenner (jacob@causative.net)Date: 09/23/01
- Previous message: aleph1@securityfocus.com: "Release: RATS 1.2 and EGADS 0.7"
- In reply to: Rossen Raykov: "Re: User authentication over the web (was: Secure Password in database)"
- Next in thread: Kurt Seifried: "Re: User authentication over the web (was: Secure Password in database)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 22 Sep 2001 21:07:30 -0500 From: Jacob Kenner <jacob@causative.net> To: Rossen Raykov <rraykov@sageian.com> Subject: Re: User authentication over the web (was: Secure Password in database) Message-ID: <20010922210730.M26735@causative.net>
Thus spake Rossen Raykov (rraykov@sageian.com):
> Putting the IP address in the session is not a good idea!
> What about multi-parent and multi-sibling proxy servers?
Using a fixed ip, yes. However, in my most recent code, I have been been
using a progressive algorithm that starts out with a very liberal IP
mask restriction, but then progressively locks the mask down until it
reaches a point where it can no longer restrict without locking the user
out.
In a reasonably short order, those on a static IP address get locked
into a 32 bit mask. Those coming from a large proxy network (such as
AOL) get locked into a less restrictive mask, but at least it's better
than nothing.
~jacob
- application/pgp-signature attachment: stored
- Previous message: aleph1@securityfocus.com: "Release: RATS 1.2 and EGADS 0.7"
- In reply to: Rossen Raykov: "Re: User authentication over the web (was: Secure Password in database)"
- Next in thread: Kurt Seifried: "Re: User authentication over the web (was: Secure Password in database)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
