[2557] in WWW Security List Archive
Re: Web servers and commercial applications
daemon@ATHENA.MIT.EDU (Ben Camp)
Fri Aug 2 13:26:45 1996
Date: Fri, 02 Aug 1996 09:55:33 -0500
To: Monish Raj <monish@ilx.com>, www-security@ns2.rutgers.edu
From: Ben Camp <benc@geocel.com>
Cc: monish@jelly.devo.ilx.com
Errors-To: owner-www-security@ns2.rutgers.edu
Well you seem to be at least somewhat versed on HTTP. You should at least
realize that you do not have an HTTP connection open the whole time someone
is browsing the network.
Take the following examples of reasons why it is disadvantageous to do that:
1. Firewall (HTTP Proxy Server) - all requests are going to seem to come
from the same address. Since if you look at your CLF logs you'll notice
that almost any corporate hits are going to be through a proxy server.
2. PPP Dialups - I'd venture to say at least 95% (probably closer to 98 or
99%) of all PPP dialup customers are going to be operating on dynamic IP.
These people have no ability to keep the same IP address. Since the whole
purpose in dialup services is to not maintain the connection all the time,
it is perfectly reasonable that a dialup user might hit your site 5 times
from 5 different addresses throughout one day. Dialup accounts are
notoiously unreliable, a user may need to be disconnected since with HTTP
you have no means of keeping the connection open; the person's service is
interrupted. This opens potentially many DOS attacks towards the customers
of your system.
3. DHCP - As the world migrates to IP based networks, standards like DHCP
are obsoleting systems like you're trying to implement. Everytime someone
reboots their computer (and even more often in some circumstances), it is
potentially going to have a different IP address.
My opinion is that your time would be better spent auditing the logs and
looking for extreme deviations etc.. If you notice your user coming from 3
domains in 2 countries at the same time, then its safe to bet there is
either illegal use on the account or he/she has given their account
information to a friend.
Ben Camp
>Hi,
>
>I'm interested in finding out if anyone is developing commercial
>applications for the web, what kind of issues you are facing,
>and which of these issues you have dealt with.
>
>My situation is the following:
>
>I am developing a service which would be run as a cgi
>script on a web server. There can be multiple services
>running on multiple such servers. These services would
>require user entitlements which would be based on a monthly
>fee.
>
>The HTTP spec does not provide for login to a group of
>servers, but I have been able to (with the help of a
>gentleman on the net) use cookies to do so if all the
>servers reside in the same domain.
>
>Here's the problem:
>
>If a user "logs in" to our group of servers from one machine,
>we don't want him/her to log in from another machine.
>
>Is anybody working towards a solution for such a problem? I
>have actually found paid services operating now (where the
>fee is charged per month, not per request) which allow the
>same username to access their services from multiple
>workstations, and we don't want to allow that.
>
>If anybody is working on something like this, I would like to
>hear from you. Any help would be appreciated.
>
>Thanks,
>
>-monish
>
>
>
