[imp] Re: IMP/Session/IP

[Michael M Slusarz]

Quoting j at thing.net
| today we had the following problem:
| someone was logged in to our webmail system and clicked on a
| link in an email. shortly after that
| someone else (the webmaster of the link he clicked on) was
| able to browse through the first persons email, thanks to the
| refere link he got in the logfiles.
| 
| to avoid that it would be important to check for the session
| if the IP is the IP of the person logged in.
| something like this would do it:
| 
| then the user authenticates:
| $ipaddr = $REMOTE_ADDR;
| session_register("ipaddr");
| 
| and when the user requests some site(mailbox.php,..):
| if($ipaddr != $REMOTE_ADDR) {
|    go to login page.
| }
| 
| this is also mentioned here:
| http://www.php.net/manual/en/ref.session.php

This is not something we are going to do since it is not the correct 
solution.  It is a bad idea because if the user's IP Address changes at 
all, it will ruin the session and will log them out.  In some instances, 
the fact that the user changed IP addresses does NOT mean that their 
connection/session is being hijacked.  For example, a user having a DHCP 
address that suddenly changes during the session (for whatever reason - 
e.g. an IP conflict during a session so the DHCP server assigns a different 
address) will be logged off without any warning.  This is definitely _not_ 
expected behavior.

Also, computers behind a proxy may send different IP addresses for 
different requests.  Thus, two consecutive requests to the webserver may 
come from two different proxy servers (and, thus, two different IPs).

Horde uses a combination of session IDs, authentication tokens, cookies, 
and secure connections to ensure the connection is secure.  If not using an 
SSL-enabled server, you should do so now.  There is really no excuse for 
running a Horde/IMP installation on an unsecured-link; the accessiblity 
(and price!) of Apache 2.0 and the SSL support it provides (or even Apache 
1.3 and ModSSL) makes this a reality.

Additionally, if you look at the link you provided above, the solution you 
mention is expressly rejected further down (see the entry immediately below 
it). 

If you want to install this solution on your own system, do not use 
session_register().  Use $_SESSION instead.  The IP should be saved in 
IMP_Session:: and should be checked in base.php.

michael

______________________________________________
Michael Slusarz [slusarz at bigworm.colorado.eduThe University of Colorado at Boulder