NYCPHP Meetup

[nycphp-talk] Debugging Remote Problem - Solved

csnyder chsnyder at gmail.com
Wed Feb 22 12:16:06 EST 2006


On 2/22/06, Mitch Pirtle <mitch.pirtle at gmail.com> wrote:
> Aha, I was right! We switched away from IP reliance in the upcoming
> 1.0.8 release, as well as the newer 1.1 development release, see Rey's
> comments below about the 1.0.x series:
>

Yeah, I can see where IP address checking could be considered a layer
of security "onion" but it only prevents some classes of attack.
Anybody in a position to sniff a session id and use it to create their
own requests is probably also in a position to spoof the IP address on
the packet.

I'm thinking specifically of what might happen if you access your site
using a compromised router, or if someone on your wifi network was
doing packet sniffing.

What are you preventing, then, by checking the IP address? Cross-site
scripting attacks, where the attacker is on another network. That's
pretty big, but you can't assume that all attacks will originate on a
separate network.

--
Chris Snyder
http://chxo.com/


More information about the talk mailing list