Sessions
Pat Farrell
pfarrell at pfarrell.com
Mon Jun 16 11:00:09 EDT 2003
At 03:36 PM 6/16/2003 +0100, Jill.Ramonsky at Aculab.com wrote:
> > On Mon, Jun 16, 2003 at 10:47:04AM +0100, Jill.Ramonsky at Aculab.com wrote:
> > > session id). Authentication of subesequent pages is assumed only if the
> > > client's IP address matches the IP address stored in the session
> > with distributed proxies, it just plain won't work.
>
>I think I understand this, but I'm not sure if it matters.
It matters because IP addresses are now longer
assigned to computers. Up until the mid-to-late 90s,
your approach would have "worked" although
it would not have been very secure. Perhaps it would
have helped some, as you suggest.
>The point is that, since IP spoofing is difficult (at least, considerably
>MORE difficult than stealing a session key), you could be fairly sure you
>were cutting out an awful lot of hacker attacks.
This is your logical error. IP spoofing is not difficult and it is
not rare. It is a constant part of any NAT (network address translation)
system. It is used everywhere by proxies. You may have
hundreds or even thousands of individual computers
masked behind a proxy, all with the same IP address.
The second problem is that many ISPs, especially AOL,
change the IP address during a session. We learned
this the hard way back in 97 at CyberCash, when we
tried the same idea.
The solution is not very hard, set a cookie with a strongly created
nonce, use that to index into the table of valid sessions. At least
it is easy until you want to scale it to many servers.
Pat
Pat Farrell pfarrell at pfarrell.com
http://www.pfarrell.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list