perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Raf" <ra...@joshua.dreamthought.com>
Subject Re: Apache::Session
Date Thu, 14 Aug 2003 11:55:17 GMT
Aleksandr Guidrevitch said:
...
> Is it possible to uniquely identify the user by some attributes ?
> The only thing I consider now is IP, but what about proxies and NATs ?
> User Agent string could also be stolen via javascript. That means I tend
>  to make stolen session ids non-reusable.

Went through this many years ago and I assure you that there is 'no'
proper heuristic for identifying that user.  UserAgent fails when you have
a building full of people with a standard install.  IP fails with proxies
- and even worse - through crappy isp's where each request appears to be
chained through some different proxy.  imho, you have to accept some level
of insecurity.

Make the walls higher.  Use post, use cookies, make your session id's
short lived, make heuristics for comparing temporaly close subsequent
request's useragent/ip etc.  Perhaps there's someone clever out there who
has found a some chaotic fractal which will reveal the mac address from
the combination of everything else, however besides this, I think it a
no-winner.

Well, good luck,

Rafiq






Mime
View raw message