Hosting Provided By

Re: Session Fixation

From: HarryM <harrym(at)the-group.org>
Date: Mon Mar 31 2003 - 18:28:18 EST

> Actually, I think suggesting to anyone that they invest in half-measures
the
> one hand, I can see your argument: it raises the bar ever so slightly,
They
> understand IP, they understand networking, but they don't really think
the
> un-informed bad choices and telling them to get it right is a receipe for

One should never rely on IP for *anything* :-)

I agree, except to say that I wouldn't consider it "investing in half measures" - at least, not the way I've coded it - since (a) it's one small measure among many other precautions taken (tamper-proof cookies, detection of scripted attacks, input validation, account lockouts, and so on) and (b), at ~5 lines of code, it's not much of an investment!

I very much agree that it should be made known to as many people as possible that IP, in the context of web services, is unreliable as a means of identification, as silly as that may sound to the uninitiated, and that it should never be depended on for anything - least of all security.

HarryM Received on Mon Mar 31 18:54:21 2003

This message: [ Message body ]
Next message: Ian: "Re: Session Fixation"
Previous message: Mark Reardon: "Re: Re: Passing data between frames"
In reply to Alex Russell: "Re: Session Fixation"
Next in thread: Ian: "Re: Session Fixation"
Reply: Ian: "Re: Session Fixation"
Reply: Jordan Frank: "Re: Session Fixation - IPs are bad angle"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:49 EDT