[dev] multiple different user logins

Chuck Hagenbuch chuck@horde.org
Wed, 29 Nov 2000 10:27:41 -0500

Previous message: [dev] multiple different user logins
Next message: [dev] $mime_actions in lib/mimetypes.php
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Michael Bull <mbull@uoguelph.ca>:

> The exposure being that if someone can read that session ID while the 
> session in still active, they could conceivably 'hijack' control of one's 
> session, right?

Correct.

> Whereas this is harder to do with cookies, but still possible with malcious 
> scripts? (I'm just trying to get a feel for the overall topic of security 
> of one's session so I know what context to put this in).

Define malicious scripts? You'd have to get a script on to the server that IMP 
was running on, which - if you've secured the IMP box properly - should be 
[very hard | impossible] to do.

> That exposure would go away if session IDs were associated with IPs, 
> right?   Is there any reason that this isn't done? (ie, knowing that 
> session x is owned by 127.0.0.1, and that sessions shouldn't shift ips?) I 
> imagine this would have to be a PHP thing... unless IMP captures the IP as 
> a session variable and there is someway to check that it hasn't changed?

Because IPs can change over the course of a session, and because large blocks 
of users often share IPs. For instance, anyone who uses DHCP might have their 
IP change on them in the middle of browsing. And anyone using AOL, or at a 
company with a firewall, might appear to be coming from the exact same IP 
address as everyone else at that company (or in the case of AOL, with another 
huge set of users).

-chuck

--
Charles Hagenbuch, <chuck@horde.org>
"If you can't stand the heat, get out of the chicken!" - Baby Blues

Previous message: [dev] multiple different user logins
Next message: [dev] $mime_actions in lib/mimetypes.php
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]