|
Jim Gallacher
jg.lists at sympatico.ca
Wed Jun 15 17:48:59 EDT 2005
Jim Gallacher wrote: > Graham Dumpleton wrote: > >> On 16/06/2005, at 6:36 AM, Dan Eloff wrote: >> >>> I was looking through the Session code and I found an omission that >>> bothers me. >>> >>> In all the session mechanisms I've implemented in the past I have >>> always checked that the person resuming the session is at the same ip >>> as the person who created it. >>> >>> Anyone who gleans the session cookie (which is sent in plaintext on >>> every request) could pass themselves off as the original person. If >>> you check the ip you restrict this down from the entire internet to >>> only people on the same network, which makes it less likely to happen. >>> >>> Is there a reason for omitting this, something I don't understand maybe? >> >> >> >> You can use req.connection to find the users incoming IP address and >> save that in the session yourself for later checking. >> >> Ie., not a prepackaged check, but the bits are there for you to do it >> yourself in the manner you need. > > > Since I'm (still) messing with the session code, maybe this is worth > building this into the base code now? If it is a security issue let's > address it and save users the worry and bother of implementing their own. > Oh and another thing that's always bother me just a little - md5 collisions of the generated session id's. I know the probability of a collision is extremely low, but it is finite. Checking an existing session against the ip would eliminate any chance of a collision (I think). Regards, Jim
|