True. People can steal sessions within a firewall as well. Unless if browsers can do digital signature, there is no a good way to validate users. I think you would agree that for now it comes down to two choices: 1. Focus on convenience, let security slack a little or 2. Focus on security, and tolerate some inconvenience. W3C, please do something!! On Fri, 2005-07-08 at 14:53 -0400, Michael Caplan wrote: > I just was reading a thread on the PHPSEC list, where one of the developers > of FUD Forums was (Ilia) was mentioning his experience with AOL users. He > claims that IPs can change as frequently as every request to the server. > I've also noted similar (but not as drastic) effects. IPs are really not a > good fingerprint for a user, unless you are fine with invalidating users on > a frequent basis > > Michael > > > -----Original Message----- > > From: Ezra Nugroho [mailto:enugroho@xxxxxxxxxxxxxxx] > > Sent: Friday, July 08, 2005 11:49 AM > > To: Michael Caplan > > Subject: RE: Re: Security, Late Nights and Overall Paranoia > > > > True, but it's better than nothing. > > > > IP doesn't change that often, maybe at worst once every hour. > > Sensitive cookies should not live that long anyway. > > > > It's not a great solution, but it's something. > > > > > > > > On Fri, 2005-07-08 at 14:41 -0400, Michael Caplan wrote: > > > IPs are unreliable. An ip will change frequently if a user travels > > through > > > a proxy pool, like AOL users, or just about any user from a large ISP. > > > > > > Michael > > > > > > > -----Original Message----- > > > > From: Ezra Nugroho [mailto:enugroho@xxxxxxxxxxxxxxx] > > > > Sent: Friday, July 08, 2005 11:25 AM > > > > To: Edward Vermillion > > > > Cc: php Lists > > > > Subject: Re: Re: Security, Late Nights and Overall Paranoia > > > > > > > > > > > > Here is one security measure that you HAVE to do if you allow people > > to > > > > submit contents to your site. > > > > > > > > > > > > 1. track client's IP. > > > > 2. Associate sensitive cookies with the IP, if they don't match, > > ignore > > > > it or invalidate the cookie. > > > > > > > > We may not stop the information redirection. > > > > We can make the information invalid. > > > > > > > > > > > > Regards, > > > > > > > > Ezra > > > > > > > > > > > > > > > > On Fri, 2005-07-08 at 12:31 -0500, Edward Vermillion wrote: > > > > > On Jul 8, 2005, at 12:02 PM, Ezra Nugroho wrote: > > > > > > > > > > > > > > > > > I am just wondering, how could someone craft an html to steal > > cookies? > > > > > > If your cookie distribution is done right, I don't think you need > > to > > > > > > worry about this. > > > > > > > > > > > > > > > > That's what XSS is all about. I don't have the link handy but I do > > have > > > > > a PDF file that I found > > > > > a while back that explains how this happens, and to tell the truth, > > it > > > > > scared the s*** outa me. > > > > > To the point that I really don't trust any online commerce, although > > I > > > > > do still use it, just as > > > > > I still give the waitress/waiter my credit card at a restaurant, > > even > > > > > though I know that's where > > > > > most of the identity theft/stolen CC numbers comes from. > > > > > > > > > > > There are a gazillion of sites (CMS-based, wiki-based, etc, > > including > > > > > > php.net) that allow users to contribute html. They are not concern > > > > > > about > > > > > > security of data delivery. > > > > > > > > > > Yeah I know... :P > > > > > > > > > > > > > > > > > I think, page breaking html is more prominent issue, which you > > could > > > > > > eliminate with BBcode or wiki language. > > > > > > > > > > > > Perhaps you are being a little paranoid? > > > > > > Or do I miss something? > > > > > > > > > > > > > > > > So yeah, I'm being paranoid but I'm also trying to cover as many > > bases > > > > > as I can and yet > > > > > still provide some decent functionality. > > > > > > > > > > > > > > > Edward Vermillion > > > > > evermillion@xxxxxxxxxxxx > > > > > > > > > > > > > -- > > > > PHP General Mailing List (http://www.php.net/) > > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > > > > CONFIDENTIALITY NOTICE > > > This message contains confidential information intended only for the use > > of > > > the individual or entity named as recipient. Any dissemination, > > distribution > > > or copying of this communication by anyone other than the intended > > recipient > > > is strictly prohibited. If you have received this message in error, > > please > > > immediately notify us and delete your copy. Thank you. > > > > > > AVIS DE CONFIDENTIALITÉ > > > Les informations contenues aux présentes sont de nature privilégiée et > > > confidentielle. Elles ne peuvent être utilisées que par la personne ou > > > l'entité dont le nom paraît comme destinataire. Si le lecteur du présent > > > message n'est pas le destinataire prévu, il est par les présentes prié > > de > > > noter qu'il est strictement interdit de divulguer, de distribuer ou de > > > copier ce message. Si ce message vous a été transmis par mégarde, > > veuillez > > > nous en aviser immédiatement et supprimer votre copie. Merci. > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
