[16650] in bugtraq
Re: Intacct.com: Multiple bugs at financial services company
daemon@ATHENA.MIT.EDU (Smith, Eric V.)
Thu Sep 7 20:38:13 2000
Mime-Version: 1.0
Content-Type: text/plain
Message-Id: <61475A6027E9D111BB25006008C3D3951E04A4@eastnor.windsor.com>
Date: Thu, 7 Sep 2000 18:20:33 -0400
Reply-To: "Smith, Eric V." <EricSmith@WINDSOR.COM>
From: "Smith, Eric V." <EricSmith@WINDSOR.COM>
X-To: Alan DeKok <aland@STRIKER.OTTAWA.ON.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
> -----Original Message-----
> From: Alan DeKok [mailto:aland@STRIKER.OTTAWA.ON.CA]
> Sent: Wednesday, September 06, 2000 1:34 PM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Re: Intacct.com: Multiple bugs at financial services company
< excellent http authentication discussion deleted>
> The timeout information can be encoded in a cookie, too. The server
> can then verify that the cookie is out of date, deny access, and ask
> "pretty-please" for the client to delete the cookie.
>
> If the client doesn't delete the cookie, they *still* can't gain
> access, as the cookie itself contains information about when it
> expires.
>
> e.g. cookie = MD5(secret + MD5(secret + expiry + client-IP +
> client-ID)) + expiry + client-id
Wow, what a great post. Thanks.
My only concern is that the client-IP can't really be used. If the client
is using some sort of outbound round-robin http proxy (like CARP) then
there's no guarantee that any 2 calls from the same client will be from the
same IP address. I've run into this problem with @home, among others, while
trying inbound load balancing and sending clients back to the same http
server. It just won't work. It's been suggested that instead of a single
IP address, use some subnet with a mask, but that's no more reliable since
it's not guaranteed either.
Eric.
