[dev] Re: [cvs] commit: horde/docs CHANGES horde/lib Auth.php horde/config conf.php.dist

[Brian M.Dube]

What about fingerprinting instead of checking the IP address to get 
around the problem with proxies? I found something similar to the 
following example in an article about session security:

$fingerprint = md5($_SERVER['HTTP_USER_AGENT'] . 
$_SERVER['HTTP_ACCEPT'] . $_SERVER['HTTP_ACCEPT_ENCODING']);

The article suggested using these headers because they're almost always 
supplied and usually vary enough between users to use as a fingerprint. 
Maybe the performance hit of the md5 call is enough to keep this from 
being added to the authentication checks, but it works.

Quoting Chuck Hagenbuch <chuck at horde.org>:

> Quoting Michael M Slusarz <slusarz at bigworm.colorado.edu>:
>
>>   Log:
>>   Added IP Address check to Auth::authenticate() to increase security.
>>   From Nag on dev.horde.org:
>>   --
>>   This will prevent an attacker from acquiring a session on one host 
>> and
>>   "fixing" it to a victim on another host.  Granted, it's possible 
>> that the
>>   attacker and the victim could be behind the same address proxy (so 
>> that they
>>   would legitimately appear to connect from the same IP address), but 
>> this
>>   countermeasure would likely prove effective in the majority of the 
>> cases.
>>   --
>>   After sufficient testing, this should probably default to on.
>>   Alas, this doesn't cover the 'application' authentication type 
>> (like IMP)
>>   since they don't call Auth::authenticate(). Should we try to tie 
>> these
>>   application authentication types into Auth:: better?
>
> Yes, we should. I don't have time just at the moment to look at it, so 
> make sure
> it gets added to Nag if someone doesn't do it soon or discussion 
> doesn't
> continue, etc.
>
> Thanks!
>
> -chuck
>
> --
> Charles Hagenbuch, <chuck at horde.org>
> The alligators were there, too, in a bathtub inside the house.