[2335] in WWW Security List Archive
Re: REMOTE_HOST and REMOTE_ADDR security
daemon@ATHENA.MIT.EDU (Kent Cearley)
Sat Jul 6 16:14:07 1996
Date: Sat, 06 Jul 1996 12:30:15 -0600
To: www-security@ns2.rutgers.edu
From: Kent Cearley <Kent.Cearley@wizard.cusys.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
J,
>Well the exact situation that a local company is using is this. They use
>an SSL server, which means no proxy-cache is in use between the client and
>server. HTTP Basic Authentication is not used, instead a client has to
>give the username and password in a WWW form and cgi script uses these
>values to do authentication. After that the server uses clients IP adress
>to allow the client use some cgi scipts or data, that should be available
>to that client only. When the user leaves, they have to access a certain
>script to leave the server, thus freeing the IP address.
One other option in this scenario that's worked for me is: after the client
authenticates to your script, send back a cookie consisting of a large
random number. Stash the number in some random access file or indexed
database field on the server to check against future transactions (up to the
expiry period of the cookie.) This is harder to fake than an IP address, and
with SSL the cookie won't be stolen.
Kent Cearley
University of Colorado, Boulder
