|
Post by votan on Sept 19, 2008 13:19:51 GMT -5
Uhm.... are sessions, generated by RB, bound to the clients IP, or are these session-IDs just random characters? Can't test that myself as I have a static IP here... If they are not bound to the clients IP, this would make session hijacking or session sharing pretty easy... Else I have to connect, everytime a request is made, to a DB to validate the users IP.... what would of cause kind of suck... Or does anyone know of a good way to avoid sessionsharing under RB??
|
|
|
Post by Carl Gundel - admin on Sept 19, 2008 14:10:11 GMT -5
Very sharp question. Yes, the session can be highjacked but we should have a fix for this soon.
-Carl
|
|
|
Post by Carl Gundel - admin on Sept 19, 2008 15:10:39 GMT -5
To follow up on this, I am hoping to add session cookies and IP based session protection as options you can turn on from the Preferences tab.
-Carl
|
|
|
Post by votan on Sept 19, 2008 15:19:07 GMT -5
That sounds really great!! Making it userselectable in the server-settings is a good choice! Maybe an extra-option to allow only one-time-usage for each session-id might be a good addition, too!? So the session-id expires right after it got used for one time and so can't get reused again. btw..... any news on when the next beta will be out?
|
|
|
Post by kokenge on Sept 19, 2008 18:16:19 GMT -5
I've been using the first two numbers of the IP and the UserInfo$. Not perfect, but I've never had a problem with it so far. Even when a dynamic IP's changes, it is very rare that the first two numbers change. Worst case is somehow the person's first two numbers of the IP changed, or they somehow got onto another browser and/or OS in the middle of their session.. And even then it would simply send back that they need to sign on again.. And to my knowledge, it's never happened???
But I guess I can give this up soon...
|
|