|
|
Posted by Jerry Stuckle on 11/03/07 01:28
Sanders Kaufman wrote:
> "Jerry Stuckle" <jstucklex@attglobal.net> wrote in message
> news:A6adnVQvS9E3r7fanZ2dnUVZ_o_inZ2d@comcast.com...
>> Sanders Kaufman wrote:
>
>>> The current user, of course. Or in a word... "currency".
>>> While it's true a user can come from any number of IP's - they can only
>>> come from one per session.
>> Wrong. Each request may come from a different IP - for instance, if they
>> have multiple proxies running in parallel. AOL is an example.
>
> Yeah - that's why AOL users have so many problems with so many otherwise
> secure sites.
>
> Trying to *authenticate* a user through a proxy network that, as one of it's
> marketing tools, advertises the fact that it MASQUES the user's identity is
> not just difficult - it's insane. It can be done - but man, oh man, what a
> complex task!
>
If the proxies are set up properly, it's not a problem - even if it
masks the user's identity. And if they're set up incorrectly, it's not
YOUR problem. :-)
> I had one customer, many many years ago, who came up with an idea of texting
> a password to a users cell phone.
> That one worked pretty good through proxies and it was simple - although, it
> wasn't very scalable.
>
Wouldn't get me, then. I don't give out my cell phone number.
Customers do get a pager number (which is more reliable for me,anyway).
>>> If that changes from the time that they login to the time they do
>>> something secure, you gotta revalidate.
>>> If you don't, then you open a window for session hijackers.
>> Revalidate on every request?
>
> Sometimes, it could work out that way.
> But no - just if the cookie that was sent to one IP shows up as coming from
> another.
> And even then - only if they try to access secure data.
> For the UI's Remember Me - I don't check the IP.
>
>
As long as you aren't checking the IP, it shouldn't be a problem.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|