perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joelle Nebbe <>
Subject Re: Apache::Session
Date Thu, 14 Aug 2003 12:06:09 GMT
I do a few basic things that improve security - its still not strict security but

What i do is store both the remote IP and the user agent HTTP parameters in the session when
the session is created. 
Whenever a new request comes in with that session I check that those havent changed. If they
havent I allow access and update the 'last access time' (for expiry) - if not they are logged
out and the session closed.

This means that any user disconnected from their ISP has to login again, which i consider
acceptable. It also means that if they copy an url and paste it into another browser they
will end up logged out, again it does not happen often and people should accept it as the
price of security.

It does mean that someone on the same proxy and using the same browser could still do something
but that is already a lot fewer people.

I also check referrer to make sure people are coming from a page that makes sense. If you
wanted to be more sophisticated you could store where an user has been recently (the 5 last
URLs maybe) and check that the referrer is one of them. If the referrer is not a page where
the user has been then things are fishy and you log them out.

If you need even better security there's ssl, or storing unique, random'challenge-response'
style tokens into pages that have to be sent back on the next connection

Probably many people on this list have more sophisticated systems in place. I'd be interested
to know too :)

Joelle Nebbe

View raw message