Bugtraq mailing list archives
Re: Intacct.com: Multiple bugs at financial services company
From: "Smith, Eric V." <EricSmith () WINDSOR COM>
Date: Thu, 7 Sep 2000 18:20:33 -0400
-----Original Message----- From: Alan DeKok [mailto:aland () STRIKER OTTAWA ON CA] Sent: Wednesday, September 06, 2000 1:34 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: Intacct.com: Multiple bugs at financial services company
< excellent http authentication discussion deleted>
The timeout information can be encoded in a cookie, too. The server can then verify that the cookie is out of date, deny access, and ask "pretty-please" for the client to delete the cookie. If the client doesn't delete the cookie, they *still* can't gain access, as the cookie itself contains information about when it expires. e.g. cookie = MD5(secret + MD5(secret + expiry + client-IP + client-ID)) + expiry + client-id
Wow, what a great post. Thanks. My only concern is that the client-IP can't really be used. If the client is using some sort of outbound round-robin http proxy (like CARP) then there's no guarantee that any 2 calls from the same client will be from the same IP address. I've run into this problem with @home, among others, while trying inbound load balancing and sending clients back to the same http server. It just won't work. It's been suggested that instead of a single IP address, use some subnet with a mask, but that's no more reliable since it's not guaranteed either. Eric.
Current thread:
- Re: Intacct.com: Multiple bugs at financial services company Nagi Prabhu (Sep 05)
- Re: Intacct.com: Multiple bugs at financial services company Jeffrey W. Baker (Sep 05)
- Re: Intacct.com: Multiple bugs at financial services company Chris L. Mason (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Peter W (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Alan DeKok (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Andrew Pimlott (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Aaron Bentley (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Rob Mayoff (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Matt Power (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Chris L. Mason (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Ryan Russell (Sep 05)
- <Possible follow-ups>
- Re: Intacct.com: Multiple bugs at financial services company Smith, Eric V. (Sep 07)
- Re: Intacct.com: Multiple bugs at financial services company Jeffrey W. Baker (Sep 05)