Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Zope: Coders

Session IP adress protection

  

 
Zope coders RSS feed   Index | Next | Previous | View Threaded


regebro at nuxeo

Oct 4, 2004, 6:12 AM

Post #1 of 8 (1683 views)
Permalink
Session IP adress protection
Many moons ago, it was discussed to protect sessions with the IP
address. That would have the effect of not allowing a user to switch
IP-adress mid-session (not a big problem) and thereby making
session-theft via cookie-theft much harder.

That together with my protected session-data object would make it
extremely hard to break session-based authorization.

This could easily be implemented for 2.8.

Thoughts?

//Lennart
_______________________________________________
Zope-Coders mailing list
Zope-Coders[at]zope.org
http://mail.zope.org/mailman/listinfo/zope-coders


lists at andreas-jung

Oct 4, 2004, 6:20 AM

Post #2 of 8 (1640 views)
Permalink
Re: Session IP adress protection [In reply to]
--On Montag, 4. Oktober 2004 15:12 Uhr +0200 Lennart Regebro
<regebro[at]nuxeo.com> wrote:

> Many moons ago, it was discussed to protect sessions with the IP address.
> That would have the effect of not allowing a user to switch IP-adress
> mid-session (not a big problem) and thereby making session-theft via
> cookie-theft much harder.
>
> That together with my protected session-data object would make it
> extremely hard to break session-based authorization.


Is this protection optional or mandatory? If mandatory, then -1 because
there are enough organizations running load-balanced proxies where
the source IP can change from time to time.

-aj
_______________________________________________
Zope-Coders mailing list
Zope-Coders[at]zope.org
http://mail.zope.org/mailman/listinfo/zope-coders


regebro at nuxeo

Oct 4, 2004, 6:26 AM

Post #3 of 8 (1658 views)
Permalink
Re: Session IP adress protection [In reply to]
Andreas Jung wrote:
> Is this protection optional or mandatory? If mandatory, then -1 because
> there are enough organizations running load-balanced proxies where
> the source IP can change from time to time.

Nah, it should be optional of course. But default, I think.
_______________________________________________
Zope-Coders mailing list
Zope-Coders[at]zope.org
http://mail.zope.org/mailman/listinfo/zope-coders


tseaver at zope

Oct 4, 2004, 6:43 AM

Post #4 of 8 (1643 views)
Permalink
Re: Session IP adress protection [In reply to]
Lennart Regebro wrote:
> Many moons ago, it was discussed to protect sessions with the IP
> address. That would have the effect of not allowing a user to switch
> IP-adress mid-session (not a big problem) and thereby making
> session-theft via cookie-theft much harder.
>
> That together with my protected session-data object would make it
> extremely hard to break session-based authorization.
>
> This could easily be implemented for 2.8.

Not a blocker for an alpha, which was what this thread is about. If
somebody implements it before the beta feature freeze, and the
implementation doesn't cause problems, that would be fine (but note the
issues involved in large-scale sites, where Zope runs behind a cache, a
load-balancer, or another proxy).

Tres.
--
===============================================================
Tres Seaver tseaver[at]zope.com
Zope Corporation "Zope Dealers" http://www.zope.com

_______________________________________________
Zope-Coders mailing list
Zope-Coders[at]zope.org
http://mail.zope.org/mailman/listinfo/zope-coders


lists at andreas-jung

Oct 4, 2004, 6:49 AM

Post #5 of 8 (1664 views)
Permalink
Re: Session IP adress protection [In reply to]
--On Montag, 4. Oktober 2004 15:26 Uhr +0200 Lennart Regebro
<regebro[at]nuxeo.com> wrote:

> Andreas Jung wrote:
>> Is this protection optional or mandatory? If mandatory, then -1 because
>> there are enough organizations running load-balanced proxies where
>> the source IP can change from time to time.
>
> Nah, it should be optional of course. But default, I think.

That's fine with me.

-aj



_______________________________________________
Zope-Coders mailing list
Zope-Coders[at]zope.org
http://mail.zope.org/mailman/listinfo/zope-coders


regebro at nuxeo

Oct 4, 2004, 6:59 AM

Post #6 of 8 (1663 views)
Permalink
Re: Re: Session IP adress protection [In reply to]
Tres Seaver wrote:
> Not a blocker for an alpha, which was what this thread is about.

I agree, the thread just reminded me to bring this issue up.

> somebody implements it before the beta feature freeze, and the
> implementation doesn't cause problems, that would be fine (but note the
> issues involved in large-scale sites, where Zope runs behind a cache, a
> load-balancer, or another proxy).

Well, that should not be an issue if it is optional, right?
Otherwise somebody needs to explain the issues. ;)

//Lennart
_______________________________________________
Zope-Coders mailing list
Zope-Coders[at]zope.org
http://mail.zope.org/mailman/listinfo/zope-coders


tino at wildenhain

Oct 4, 2004, 7:05 AM

Post #7 of 8 (1647 views)
Permalink
Re: Session IP adress protection [In reply to]
Hi,

On Mon, 2004-10-04 at 15:12, Lennart Regebro wrote:
> Many moons ago, it was discussed to protect sessions with the IP
> address. That would have the effect of not allowing a user to switch
> IP-adress mid-session (not a big problem) and thereby making
> session-theft via cookie-theft much harder.
>
> That together with my protected session-data object would make it
> extremely hard to break session-based authorization.
>
> This could easily be implemented for 2.8.
>
> Thoughts?

It would it even make extremly hard to use it as intended
in some situations :-)

Many big ISPs use a proxy farm so you are presented with
a lot of IP changes in the same session.

Session based via Cookie/Path should be good. Dont
rely on IP constantness.

Regards
Tino

_______________________________________________
Zope-Coders mailing list
Zope-Coders[at]zope.org
http://mail.zope.org/mailman/listinfo/zope-coders


tseaver at zope

Oct 4, 2004, 7:09 AM

Post #8 of 8 (1664 views)
Permalink
Re: Re: Session IP adress protection [In reply to]
Lennart Regebro wrote:
> Tres Seaver wrote:
>
>> Not a blocker for an alpha, which was what this thread is about.
>
>
> I agree, the thread just reminded me to bring this issue up.
>
>> somebody implements it before the beta feature freeze, and the
>> implementation doesn't cause problems, that would be fine (but note
>> the issues involved in large-scale sites, where Zope runs behind a
>> cache, a load-balancer, or another proxy).
>
>
> Well, that should not be an issue if it is optional, right?
> Otherwise somebody needs to explain the issues. ;)

Mostly, just to have the potential issues explained in the docs
(particularly the comments for the default config file entry).

Tres.
--
===============================================================
Tres Seaver tseaver[at]zope.com
Zope Corporation "Zope Dealers" http://www.zope.com
_______________________________________________
Zope-Coders mailing list
Zope-Coders[at]zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Zope coders RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.