[2558] in WWW Security List Archive
Re: Web servers and commercial applications
daemon@ATHENA.MIT.EDU (skat@flask.com)
Fri Aug 2 20:51:02 1996
From: skat@flask.com
Date: Fri, 2 Aug 1996 17:15:46 +0000 ()
To: Monish Raj <monish@ilx.com>
cc: www-security@ns2.rutgers.edu, cwg@deepeddy.DeepEddy.Com
In-Reply-To: <199608012320.SAA29754@deepeddy.DeepEddy.Com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Thu, 1 Aug 1996, Chris Garrigues wrote:
>
> > If a user "logs in" to our group of servers from one machine,
> > we don't want him/her to log in from another machine.
>
> Doesn't sound that hard, but do note that you can't stop people behind a
> firewall from sharing accounts because they'll all look like they come from
> the same site. Also, there are lots of reasons someone might need to change
> where they come in from, many of which are out of their control. You'll need
> a reasonable way to manage this when it comes up.
>
> Chris
>
How about creating a shared directory (NFS) that keeps track of who is
logged in on the server side. Create a file when a user logs in and keep
the user's IP address in it. If you really want to be fancy, you could
generate a random number, which you send it back as a cookie (for those
people behind the firewall) and keep the random number in the file. The
file should be deleted when the user logs out or after x amount of
inactive time.
