Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Zope: Coders

Session IP adress protection

  

 
Zope coders RSS feed   Index | Next | Previous | View Threaded


regebro at nuxeo

Oct 4, 2004, 6:12 AM

Post #1 of 8 (2301 views)
Permalink
Session IP adress protection
Many moons ago, it was discussed to protect sessions with the IP
address. That would have the effect of not allowing a user to switch
IP-adress mid-session (not a big problem) and thereby making
session-theft via cookie-theft much harder.

That together with my protected session-data object would make it
extremely hard to break session-based authorization.

This could easily be implemented for 2.8.

Thoughts?

//Lennart
_______________________________________________
Zope-Coders mailing list
Zope-Coders [at] zope
http://mail.zope.org/mailman/listinfo/zope-coders


lists at andreas-jung

Oct 4, 2004, 6:20 AM

Post #2 of 8 (2239 views)
Permalink
Re: Session IP adress protection [In reply to]
--On Montag, 4. Oktober 2004 15:12 Uhr +0200 Lennart Regebro
<regebro [at] nuxeo> wrote:

> Many moons ago, it was discussed to protect sessions with the IP address.
> That would have the effect of not allowing a user to switch IP-adress
> mid-session (not a big problem) and thereby making session-theft via
> cookie-theft much harder.
>
> That together with my protected session-data object would make it
> extremely hard to break session-based authorization.


Is this protection optional or mandatory? If mandatory, then -1 because
there are enough organizations running load-balanced proxies where
the source IP can change from time to time.

-aj
_______________________________________________
Zope-Coders mailing list
Zope-Coders [at] zope
http://mail.zope.org/mailman/listinfo/zope-coders


regebro at nuxeo

Oct 4, 2004, 6:26 AM

Post #3 of 8 (2254 views)
Permalink
Re: Session IP adress protection [In reply to]
Andreas Jung wrote:
> Is this protection optional or mandatory? If mandatory, then -1 because
> there are enough organizations running load-balanced proxies where
> the source IP can change from time to time.

Nah, it should be optional of course. But default, I think.
_______________________________________________
Zope-Coders mailing list
Zope-Coders [at] zope
http://mail.zope.org/mailman/listinfo/zope-coders


tseaver at zope

Oct 4, 2004, 6:43 AM

Post #4 of 8 (2241 views)
Permalink
Re: Session IP adress protection [In reply to]
Lennart Regebro wrote:
> Many moons ago, it was discussed to protect sessions with the IP
> address. That would have the effect of not allowing a user to switch
> IP-adress mid-session (not a big problem) and thereby making
> session-theft via cookie-theft much harder.
>
> That together with my protected session-data object would make it
> extremely hard to break session-based authorization.
>
> This could easily be implemented for 2.8.

Not a blocker for an alpha, which was what this thread is about. If
somebody implements it before the beta feature freeze, and the
implementation doesn't cause problems, that would be fine (but note the
issues involved in large-scale sites, where Zope runs behind a cache, a
load-balancer, or another proxy).

Tres.
--
===============================================================
Tres Seaver tseaver [at] zope
Zope Corporation "Zope Dealers" http://www.zope.com

_______________________________________________
Zope-Coders mailing list
Zope-Coders [at] zope
http://mail.zope.org/mailman/listinfo/zope-coders


lists at andreas-jung

Oct 4, 2004, 6:49 AM

Post #5 of 8 (2268 views)
Permalink
Re: Session IP adress protection [In reply to]
--On Montag, 4. Oktober 2004 15:26 Uhr +0200 Lennart Regebro
<regebro [at] nuxeo> wrote:

> Andreas Jung wrote:
>> Is this protection optional or mandatory? If mandatory, then -1 because
>> there are enough organizations running load-balanced proxies where
>> the source IP can change from time to time.
>
> Nah, it should be optional of course. But default, I think.

That's fine with me.

-aj



_______________________________________________
Zope-Coders mailing list
Zope-Coders [at] zope
http://mail.zope.org/mailman/listinfo/zope-coders


regebro at nuxeo

Oct 4, 2004, 6:59 AM

Post #6 of 8 (2260 views)
Permalink
Re: Re: Session IP adress protection [In reply to]
Tres Seaver wrote:
> Not a blocker for an alpha, which was what this thread is about.

I agree, the thread just reminded me to bring this issue up.

> somebody implements it before the beta feature freeze, and the
> implementation doesn't cause problems, that would be fine (but note the
> issues involved in large-scale sites, where Zope runs behind a cache, a
> load-balancer, or another proxy).

Well, that should not be an issue if it is optional, right?
Otherwise somebody needs to explain the issues. ;)

//Lennart
_______________________________________________
Zope-Coders mailing list
Zope-Coders [at] zope
http://mail.zope.org/mailman/listinfo/zope-coders


tino at wildenhain

Oct 4, 2004, 7:05 AM

Post #7 of 8 (2245 views)
Permalink
Re: Session IP adress protection [In reply to]
Hi,

On Mon, 2004-10-04 at 15:12, Lennart Regebro wrote:
> Many moons ago, it was discussed to protect sessions with the IP
> address. That would have the effect of not allowing a user to switch
> IP-adress mid-session (not a big problem) and thereby making
> session-theft via cookie-theft much harder.
>
> That together with my protected session-data object would make it
> extremely hard to break session-based authorization.
>
> This could easily be implemented for 2.8.
>
> Thoughts?

It would it even make extremly hard to use it as intended
in some situations :-)

Many big ISPs use a proxy farm so you are presented with
a lot of IP changes in the same session.

Session based via Cookie/Path should be good. Dont
rely on IP constantness.

Regards
Tino

_______________________________________________
Zope-Coders mailing list
Zope-Coders [at] zope
http://mail.zope.org/mailman/listinfo/zope-coders


tseaver at zope

Oct 4, 2004, 7:09 AM

Post #8 of 8 (2268 views)
Permalink
Re: Re: Session IP adress protection [In reply to]
Lennart Regebro wrote:
> Tres Seaver wrote:
>
>> Not a blocker for an alpha, which was what this thread is about.
>
>
> I agree, the thread just reminded me to bring this issue up.
>
>> somebody implements it before the beta feature freeze, and the
>> implementation doesn't cause problems, that would be fine (but note
>> the issues involved in large-scale sites, where Zope runs behind a
>> cache, a load-balancer, or another proxy).
>
>
> Well, that should not be an issue if it is optional, right?
> Otherwise somebody needs to explain the issues. ;)

Mostly, just to have the potential issues explained in the docs
(particularly the comments for the default config file entry).

Tres.
--
===============================================================
Tres Seaver tseaver [at] zope
Zope Corporation "Zope Dealers" http://www.zope.com
_______________________________________________
Zope-Coders mailing list
Zope-Coders [at] zope
http://mail.zope.org/mailman/listinfo/zope-coders

Zope coders RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.