Thread: [securityfilter-devel] New feature proposal: IP address fixing
Brought to you by:
chris_schultz,
maxcooper
Menu
▾
▴
securityfilter-devel
|
From: Christopher S. <ch...@ch...> - 2007-12-12 21:55:26
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, I'm considering adding another feature to the 2.x version of securityfilter. Let me know what you think. Some web sites allow you to enable "IP address checking" or something sounding like that. Basically, your session will be tied to your IP address for extra security. That way, even if someone can guess your session id and submit it along with a request, they can't hijack your session. This will, or course, be optional to the user using the website. Some services like AOL use proxies for dialup traffic and that really screws things up when it comes to IP validation. My plan is simply to store the remote user's IP address in the session and check against that as part of the authorization step (actually, it's before the authorization, but after authentication because that is tied to the realm, and I'd like to do this checking in a single place). I'll invent a default check-ip-address request parameter name and make it changeable via either a filter config-param or through the XML configuration file. (I think for sf 2.0 I'll go with a filter config param and for a future version, I'll go for an XML element, but comments are appreciated). If that parameter has any value during login (or a specific value... I'd appreciate some feedback here), then we'll turn on this feature for the current session, and it will stay enabled until the session expires. Any feedback on this is certainly welcome. Thanks, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHYFjD9CaO5/Lv0PARAvmKAKCI4cxucH9etBBZY4iNeC9233zh/QCdFDz/ 6vUFFPlvLvJhVTw+zJDOCOk= =xVCt -----END PGP SIGNATURE----- |
|
From: Max C. <ma...@ma...> - 2007-12-12 23:25:16
|
I think it would be wise to check for a specific value of the parameter, so that the behavior isn't surprising if someone implements a drop-down for it, the user picks "no", and then gets IP checking anyway. Perhaps accept "1", "true", and "yes" case-insensitively to turn it on, otherwise it's off. I don't recall what values the "remember me" feature accepts, but this new feature should be consistent. -Max On 12/12/07, Christopher Schultz <ch...@ch...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > All, > > I'm considering adding another feature to the 2.x version of > securityfilter. Let me know what you think. > > Some web sites allow you to enable "IP address checking" or something > sounding like that. Basically, your session will be tied to your IP > address for extra security. That way, even if someone can guess your > session id and submit it along with a request, they can't hijack your > session. > > This will, or course, be optional to the user using the website. Some > services like AOL use proxies for dialup traffic and that really screws > things up when it comes to IP validation. > > My plan is simply to store the remote user's IP address in the session > and check against that as part of the authorization step (actually, it's > before the authorization, but after authentication because that is tied > to the realm, and I'd like to do this checking in a single place). > > I'll invent a default check-ip-address request parameter name and make > it changeable via either a filter config-param or through the XML > configuration file. (I think for sf 2.0 I'll go with a filter config > param and for a future version, I'll go for an XML element, but comments > are appreciated). > > If that parameter has any value during login (or a specific value... I'd > appreciate some feedback here), then we'll turn on this feature for the > current session, and it will stay enabled until the session expires. > > Any feedback on this is certainly welcome. > > Thanks, > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFHYFjD9CaO5/Lv0PARAvmKAKCI4cxucH9etBBZY4iNeC9233zh/QCdFDz/ > 6vUFFPlvLvJhVTw+zJDOCOk= > =xVCt > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------- > SF.Net email is sponsored by: > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services > for just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > _______________________________________________ > securityfilter-devel mailing list > sec...@li... > https://lists.sourceforge.net/lists/listinfo/securityfilter-devel > |
|
From: Torgeir V. <to...@po...> - 2007-12-13 02:56:23
|
On 13 Dec 2007, at 07:55, Christopher Schultz wrote: > I'm considering adding another feature to the 2.x version of > securityfilter. Let me know what you think. > > Some web sites allow you to enable "IP address checking" or something > sounding like that. Basically, your session will be tied to your IP > address for extra security. That way, even if someone can guess your > session id and submit it along with a request, they can't hijack your > session. +1 provided that it's plug-able like the remember me functionality. -- Torgeir Veimo to...@po... |
|
From: Christopher S. <ch...@ch...> - 2008-03-13 23:58:43
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, Christopher Schultz wrote: | I'm considering adding another feature to the 2.x version of | securityfilter. Let me know what you think. | | Some web sites allow you to enable "IP address checking" or something | sounding like that. Basically, your session will be tied to your IP | address for extra security. That way, even if someone can guess your | session id and submit it along with a request, they can't hijack your | session. After implementing this, I'm starting to think that maybe it would be better to implement it separately (say, as a completely separate Filter). First, it's entirely orthogonal to both authentication and authorization (which is what sf is really for). Second, it requires additional processing of every request, which results in a (small) performance hit. Even offering this as an optional feature requires checking a flag for whether we should perform the check, etc. Honestly, I think this kind of pollutes sf. The only reason I was even considering it was because it sort of goes along with authorization, but in a completely different way. I'm not entirely objecting to inclusion in the project... I just think it should probably be put into a separate Filter that can be configured completely separately from the main sf Filter. Any thoughts? Thanks, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkfZv6cACgkQ9CaO5/Lv0PBCTQCgsCzHD4ht/wU9gEUfrFHPRcUK amIAnAwkV44XHmbYDglazcudX0/MGyNW =aSdv -----END PGP SIGNATURE----- |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X