[dev] Re: [cvs] commit: horde/docs CHANGES horde/lib Auth.php horde/config conf.php.dist

[Chuck Hagenbuch]

Quoting Michael M Slusarz <slusarz at bigworm.colorado.edu>:

>   Log:
>   Added IP Address check to Auth::authenticate() to increase security.
>   From Nag on dev.horde.org:
>   --
>   This will prevent an attacker from acquiring a session on one host and
>   "fixing" it to a victim on another host.  Granted, it's possible that the
>   attacker and the victim could be behind the same address proxy (so that they
>   would legitimately appear to connect from the same IP address), but this
>   countermeasure would likely prove effective in the majority of the cases.
>   --
>   After sufficient testing, this should probably default to on.
>   Alas, this doesn't cover the 'application' authentication type (like IMP)
>   since they don't call Auth::authenticate(). Should we try to tie these
>   application authentication types into Auth:: better?

Yes, we should. I don't have time just at the moment to look at it, so make sure
it gets added to Nag if someone doesn't do it soon or discussion doesn't
continue, etc.

Thanks!

-chuck

--
Charles Hagenbuch, <chuck at horde.org>
The alligators were there, too, in a bathtub inside the house.