Camping 2.0 - What's left?

Bluebie, Jenna blueberry at creativepony.com
Sun May 25 09:04:44 EDT 2008 

That's no good, a significant amount of ISP's do not route requests  
from one user to one web host via the same routes on each request, and  
when they use proxy servers, as AOL does, that means every request  
comes from a different IP address, even though it's the same user.  
Worse still, the IP addresses of the proxy server's are located all  
around the world, so even geolocation fails.

Ditch the remote IP check or it wont work at all for a lot of users. I  
also feel 15 minutes is dodgy. I like session cookies, not timed  
cookies. The user closes the browser and the cookie dies, nice and  
simple. If you want to use a timeout, how about something that wont  
have any real downsides like a day or two?

The user agent is probably safe, but some plugins add text to the user  
agent, so if the user upgrades flash for instance, the session is  
instantly voided and unusable as flash's version number will change.

The only one of these which limits usefulness of cookie stealing to  
attackers is the IP check which is totally unusable in the real world  
internet. Timeouts are just annoying and I don't think extremely high  
security apps which would suit 15 minute timeouts are really the  
target audience of Camping.


—
Jenna

On 25/05/2008, at 10:45 PM, Magnus Holm wrote:

> You're absolutely right. Not anymore, though. I fixed in my cs-branch.
> Now it will save the data in three cookies: camping_blob, camping_hash
> and camping_time. The secure_blob_hasher includes the remote IP and
> the user agent, and it has also a timeout on 15 minutes (which can  
> be overridden
> with @@state_timeout).
>
> http://github.com/judofyr/camping/commits/cs
>
> On Sun, May 25, 2008 at 5:43 AM, _why <why at whytheluckystiff.net>  
> wrote:
>> On Sun, May 25, 2008 at 12:25:08AM +0200, Magnus Holm wrote:
>>> * The cookie session is named Camping::Session and is placed in
>>> camping/session.rb. Maybe this should be called  
>>> Camping::CookieSession or???
>>
>> You know, these cookie sessions seem like they could be a problem.
>> A lot of sessions would contain just the hash and the user name.
>> So, spoof the user name and you're in, you know?
>>
>> _why
>> _______________________________________________
>> Camping-list mailing list
>> Camping-list at rubyforge.org
>> http://rubyforge.org/mailman/listinfo/camping-list
>>
>
>
>
> -- 
> Magnus Holm
> _______________________________________________
> Camping-list mailing list
> Camping-list at rubyforge.org
> http://rubyforge.org/mailman/listinfo/camping-list

More information about the Camping-list mailing list