Hello Felix, below another take on authenitcation:
HttpServletRequest.getRemoteAddress()
this method returns the address of the client or the last proxy that sent the
request. if there is indeed a proxy in between, then this may hide that a
request is possibly sent from a different client.
I have seen checkboxes on login forms, with a wording like:
"limit session to this computer" or so.
I think this binds a session to an IP-address after signup,
the reason being, to prevent stolen cookies from working.
If the request passes any proxies (be it HTTP proxies like Squid or just
some transparent IP Masquerading router) the server has absolutely no
clue about the actual client IP. In fact, in such situations the IP
address is generally useless anyways, because it happens to be a private
use space IP address (10.x.x.x, 172.[16-31].x.x, 192.168.x.x).
If the client is on a private network, a server in the open will not
know that, it will just consider the gateway IP the client IP. Usually
this "remote address" is stored in the server session. And that will
indeed raise the level of work required to exploit a cookie as a
different client IP will not compare.
Unless the attacker works from behind the same masquerading proxy. If
the attacker operates the proxy, only ssl can help. If the attacker owns
the client (e.g. browser), cycling cookies helps by keeping the time
short, in which they can be used to do harm.
I applaud the sling-team to provide a logout method for http-auth. That
way one can have important transactions prompt even already logged on
users for credentials, unconditionally by the browser. I still have to
find out, how to make my .esp trigger that.
Kind regards.
--
peter
