Re: [securityfilter-devel] New feature proposal: IP address fixing
Brought to you by:
chris_schultz,
maxcooper
Menu
▾
▴
Re: [securityfilter-devel] New feature proposal: IP address fixing
|
From: Max C. <ma...@ma...> - 2007-12-12 23:25:16
|
I think it would be wise to check for a specific value of the parameter, so that the behavior isn't surprising if someone implements a drop-down for it, the user picks "no", and then gets IP checking anyway. Perhaps accept "1", "true", and "yes" case-insensitively to turn it on, otherwise it's off. I don't recall what values the "remember me" feature accepts, but this new feature should be consistent. -Max On 12/12/07, Christopher Schultz <ch...@ch...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > All, > > I'm considering adding another feature to the 2.x version of > securityfilter. Let me know what you think. > > Some web sites allow you to enable "IP address checking" or something > sounding like that. Basically, your session will be tied to your IP > address for extra security. That way, even if someone can guess your > session id and submit it along with a request, they can't hijack your > session. > > This will, or course, be optional to the user using the website. Some > services like AOL use proxies for dialup traffic and that really screws > things up when it comes to IP validation. > > My plan is simply to store the remote user's IP address in the session > and check against that as part of the authorization step (actually, it's > before the authorization, but after authentication because that is tied > to the realm, and I'd like to do this checking in a single place). > > I'll invent a default check-ip-address request parameter name and make > it changeable via either a filter config-param or through the XML > configuration file. (I think for sf 2.0 I'll go with a filter config > param and for a future version, I'll go for an XML element, but comments > are appreciated). > > If that parameter has any value during login (or a specific value... I'd > appreciate some feedback here), then we'll turn on this feature for the > current session, and it will stay enabled until the session expires. > > Any feedback on this is certainly welcome. > > Thanks, > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFHYFjD9CaO5/Lv0PARAvmKAKCI4cxucH9etBBZY4iNeC9233zh/QCdFDz/ > 6vUFFPlvLvJhVTw+zJDOCOk= > =xVCt > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------- > SF.Net email is sponsored by: > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services > for just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > _______________________________________________ > securityfilter-devel mailing list > sec...@li... > https://lists.sourceforge.net/lists/listinfo/securityfilter-devel > |
