[securityfilter-devel] New feature proposal: IP address fixing
Brought to you by:
chris_schultz,
maxcooper
Menu
▾
▴
[securityfilter-devel] New feature proposal: IP address fixing
|
From: Christopher S. <ch...@ch...> - 2007-12-12 21:55:26
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, I'm considering adding another feature to the 2.x version of securityfilter. Let me know what you think. Some web sites allow you to enable "IP address checking" or something sounding like that. Basically, your session will be tied to your IP address for extra security. That way, even if someone can guess your session id and submit it along with a request, they can't hijack your session. This will, or course, be optional to the user using the website. Some services like AOL use proxies for dialup traffic and that really screws things up when it comes to IP validation. My plan is simply to store the remote user's IP address in the session and check against that as part of the authorization step (actually, it's before the authorization, but after authentication because that is tied to the realm, and I'd like to do this checking in a single place). I'll invent a default check-ip-address request parameter name and make it changeable via either a filter config-param or through the XML configuration file. (I think for sf 2.0 I'll go with a filter config param and for a future version, I'll go for an XML element, but comments are appreciated). If that parameter has any value during login (or a specific value... I'd appreciate some feedback here), then we'll turn on this feature for the current session, and it will stay enabled until the session expires. Any feedback on this is certainly welcome. Thanks, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHYFjD9CaO5/Lv0PARAvmKAKCI4cxucH9etBBZY4iNeC9233zh/QCdFDz/ 6vUFFPlvLvJhVTw+zJDOCOk= =xVCt -----END PGP SIGNATURE----- |
