On 7/17/2011 1:16 AM, Phil Van wrote:
Back to Vincent's original request about session id and login: how
secure is your session id? Have you signed it? If not, someone can try
to sending random IDs and break your authentication.
Well, if you sign it and sign it properly, you basically end up with the
same idea in those "Authen + Ticket + Gate" CPAN modules. Besides a time
stamp, you should also sign with user's IP. If the cookie is stolen,
the origin of IP may protect as the last hope.
Tying a session to an IP can be bad if you use a CDN, or you have
clients that are behind big multihomed transparent proxies. AOL users
in particular used to come from various IP's during a single session.
Adam
