|
Post by David den Haring on Nov 4, 2009 10:13:27 GMT -5
Now that Carl seems to be present here in the forum again, after being absent for like 2 months, I just have to ask again. Any news on the next version? Besides of that... I'm stepping into a problem here, that I can't solve. I need a way to protect some projects from public access and make them only accessible to logged in users. In Apache and PHP I would just use .htaccess.... but that's just not an option in RB. And relying on a local login system and the RB sessions does also not really help, as the sessions are easily highjackable. Any news on a more secure session-system in the next version? I wonder when the variable UserAddress$ is set. Is it only at the beginning of a session or does it change based on incoming packets. If it were dynamic, could that be used to detect a hijacked session? Is that basically what you're asking Carl to add to Run Basic?
|
|
|
Post by votan on Nov 5, 2009 7:03:02 GMT -5
I'm not really sure how exactly this is handled!? It more looks like the system is caching the complete result... so if I reopen a site by using an url with a still valid session, it opens the cached page, ignoring all the code that usually creates this page. I onna do some more tests on the session thing. Anyway, it would be really cool, if carl could make sessions IP-aware. And maybe offer us users a way of controlling the default caching a bit.
|
|
|
Post by David den Haring on Nov 5, 2009 13:29:11 GMT -5
I'm not really sure how exactly this is handled!? It more looks like the system is caching the complete result... so if I reopen a site by using an url with a still valid session, it opens the cached page, ignoring all the code that usually creates this page. I onna do some more tests on the session thing. Anyway, it would be really cool, if carl could make sessions IP-aware. And maybe offer us users a way of controlling the default caching a bit. If you hijack a session, isn't it just as easy to spoof the IP address since it's encoded in the TCP packet?
|
|
|
Post by votan on Nov 5, 2009 15:55:01 GMT -5
IP-spoofing is kind of a different problem and not so common/easy/possible as hijacking or just spreading a valid session. Check out the spoofer project at spoofer.csail.mit.edu/
|
|