Now that Carl seems to be present here in the forum again, after being absent for like 2 months, I just have to ask again.
Any news on the next version?
Besides of that... I'm stepping into a problem here, that I can't solve. I need a way to protect some projects from public access and make them only accessible to logged in users. In Apache and PHP I would just use .htaccess.... but that's just not an option in RB. And relying on a local login system and the RB sessions does also not really help, as the sessions are easily highjackable. Any news on a more secure session-system in the next version?
I wonder when the variable UserAddress$ is set. Is it only at the beginning of a session or does it change based on incoming packets.
If it were dynamic, could that be used to detect a hijacked session? Is that basically what you're asking Carl to add to Run Basic?
Re: Next version? « Reply #16 on Nov 5, 2009, 7:03am »
I'm not really sure how exactly this is handled!? It more looks like the system is caching the complete result... so if I reopen a site by using an url with a still valid session, it opens the cached page, ignoring all the code that usually creates this page. I onna do some more tests on the session thing. Anyway, it would be really cool, if carl could make sessions IP-aware. And maybe offer us users a way of controlling the default caching a bit.
I'm not really sure how exactly this is handled!? It more looks like the system is caching the complete result... so if I reopen a site by using an url with a still valid session, it opens the cached page, ignoring all the code that usually creates this page. I onna do some more tests on the session thing. Anyway, it would be really cool, if carl could make sessions IP-aware. And maybe offer us users a way of controlling the default caching a bit.
If you hijack a session, isn't it just as easy to spoof the IP address since it's encoded in the TCP packet?
Re: Next version? « Reply #18 on Nov 5, 2009, 3:55pm »
IP-spoofing is kind of a different problem and not so common/easy/possible as hijacking or just spreading a valid session. Check out the spoofer project at http://spoofer.csail.mit.edu/
![[Home]](http://s4.images.proboards.com/menu/home.gif)
![[Help]](http://s4.images.proboards.com/menu/help.gif)
![[Search]](http://s4.images.proboards.com/menu/search.gif)
![[Login]](http://s4.images.proboards.com/menu/login.gif)
![[Register]](http://s4.images.proboards.com/menu/register.gif)
![[Search This Thread]](http://s4.images.proboards.com/search2.gif)
![[Send Topic To Friend]](http://s4.images.proboards.com/buttons/sendtopic.gif)
![[Print]](http://s4.images.proboards.com/buttons/print.gif)
Author
![[homepage]](http://s4.images.proboards.com/buttons/www_sm.gif)
Logged