|
Daniel J. Popowich
dpopowich at mtrsd.k12.ma.us
Mon Nov 24 15:10:15 EST 2003
Simon Willison writes: > Michael C. Neel wrote: > > ...now when we decode the cookie... > > > > 1. base64 decode it, and check our md5 sig > > 2. ungzip the string and parse it back to it's object/string form > > 3. make sure the IP, user-agent match the current request > > 4. make sure the timestamp is within our limit for a login > > One potential problem with checking the IP is that some people access > the internet through a rotating proxy, meaning that subsequent requests > might come from a different IP address (I've heard AOL does this). One > way around this would be to check that at least the first two parts of > the IP address stayed the same as only the last two would be likely to > change if a rotating proxy was in use. But the people most likely to steal your identity through packet sniffing are the people on your own subnet; the teenage hacker down the street looking for a thrill. That hacker, being on the same subnet, would have the same network address and thus match the first few octects of the ip addr. Dan
|