[cvs] commit: horde/docs CHANGES horde/lib Auth.php horde/config
conf.php.dist
Michael M Slusarz
slusarz at bigworm.colorado.edu
Wed Jul 9 23:42:39 PDT 2003
slusarz 2003/07/09 23:42:39 PDT
Modified files:
docs CHANGES
lib Auth.php
config conf.php.dist
Log:
Added IP Address check to Auth::authenticate() to increase security.
From Nag on dev.horde.org:
--
This will prevent an attacker from acquiring a session on one host and
"fixing" it to a victim on another host. Granted, it's possible that the
attacker and the victim could be behind the same address proxy (so that they
would legitimately appear to connect from the same IP address), but this
countermeasure would likely prove effective in the majority of the cases.
--
After sufficient testing, this should probably default to on.
Alas, this doesn't cover the 'application' authentication type (like IMP)
since they don't call Auth::authenticate(). Should we try to tie these
application authentication types into Auth:: better?
Revision Changes Path
1.49 +7 -1 horde/config/conf.php.dist
1.405 +1 -0 horde/docs/CHANGES
1.91 +8 -3 horde/lib/Auth.php
Chora Links:
http://cvs.horde.org/diff.php/horde/config/conf.php.dist?r1=1.48&r2=1.49&ty=u
http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.404&r2=1.405&ty=u
http://cvs.horde.org/diff.php/horde/lib/Auth.php?r1=1.90&r2=1.91&ty=u
More information about the cvs
mailing list