Posted: Mon Jun 27, 2005 6:58 pm
HTTP_ACCEPT_CHARSET isn't a good idea to use...
A community of PHP developers offering assistance, advice, discussion, and friendship.
http://forums.devnetwork.net/
They absolutely can and do for AOL members. The proxies they go through can often change mid-*page* even, from one coast's proxies to the other. IP addresses are completely, totally, absolutely unreliable as a user identifier. Do not use them as such.dbevfat wrote:In case of IP switching between single requests in a session, I don't believe that the IP's highest two octets are gonna change. But even if they do - if you take only the first IP number, you're still protected from me, for example.
It doesn't really matter to the discussion. Users can modify them (falsify them) so they are unreliable as user identifiers regardless of IE's behavior.dbevfat wrote:Forgot to mention; not sure, but I believe IE changes the ACCEPT headers.
Well, here where I live there are currently no providers that do that. And since my projects are (for now) local, I can rely on a user having the same IP within the session. Luckily, I've heard about IP changing, so I have two options ready; half-ip address matching and without ip. When trouble comes, I'll switch to lesser security mechanism.Roja wrote:They absolutely can and do for AOL members. The proxies they go through can often change mid-*page* even, from one coast's proxies to the other. IP addresses are completely, totally, absolutely unreliable as a user identifier. Do not use them as such.
You have to rely on something, don't you? Everything that users send can be spoofed, but ordinary users will not change their USER_AGENT in the midst of the session. And hackers will hopefully _not_ find out which USER_AGENT the victim is using. Some sort of security by obscurity.Roja wrote:It doesn't really matter to the discussion. Users can modify them (falsify them) so they are unreliable as user identifiers regardless of IE's behavior.
To be honest, I'm afraid to rely on anything other than User-Agent for consistency. My research has shown that many headers are inconsistent, particularly with Internet Explorer.bsdguru wrote:Chris, what are your recommendations for variables to include in a "vistor fingerprint"?
I completely agree.timvw wrote:REMOTE_ADDR is something i don't consider as an option.
You probably read it from me. I'd like to claim that my research revealed this, but in fact, I relied upon Accept consistency in a production application and discovered this the hard way. Luckily, I had very good intrusion detection and reporting mechanisms that helped me track down the problem, and it was rare enough to not be catastrophic.dbevfat wrote:I believe IE changes the ACCEPT headers. I've read it somewhere a while ago.
It does matter. If someone changes their headers, I don't feel sorry for them having to enter their password again. :-)Roja wrote:It doesn't really matter to the discussion. Users can modify them (falsify them) so they are unreliable as user identifiers regardless of IE's behavior.
Yep, and despite the "no security through obscurity" mantra, obscurity does have some value as a Defense in Depth mechanism. Also, obscurity is pretty hard to define - by strict definition, the session identifier itself can be considered obscurity, because it could (in theory) be guessed. Of course, the predictability of a session identifier is extremely low - low enough to be negligible in practice.dbevfat wrote:Some sort of security by obscurity.
No, actually, and thats really what I was getting at.dbevfat wrote:You have to rely on something, don't you?
Unfortunately, I've found that not to be true. Especially for Opera users, they have a habit of changing it when they think something isn't working correctly.dbevfat wrote: Everything that users send can be spoofed, but ordinary users will not change their USER_AGENT in the midst of the session.
I focus instead on making the rest of the links as strong as possible, and by doing so, accept a balance between security and risk that does entail some risk: At the benefit of ensuring that Opera users, IE users, AOL users, and Proxy users won't come and complain about my poor choices in security.Swede78 wrote: I use sessions for much more than storing log-in information. I have a lot of multi-page forms that rely on sessions. I would be quite annoyed if I had to re-login and start over after filling out multiple pages of information for 15 minutes. I wouldn't want even 1% of my users to experience that.