[Typo3-dev] For Kasper: ses_iplock and alternative authenticacion extensions
Martin T. Kutschker
Martin.T.Kutschker at blackbox.net
Fri Apr 9 09:37:25 CEST 2004
Juergen Egeling wrote:
> * Kasper Skårhøj <kasper at typo3.com> [040408 11:46]:
>
>>user is logged in from "192.168.1.10" we store and check for only
>>"192.168" and nothing more.
>
> IMHO might lead too much to a security problem. What do you
> want to achive? Nail down one machine? -> User has to have a
> unique IP address.
They don't with certain proxies/firewalls. But these setups will
probably come from one IP range.
Though I don't think it is wise to reduce security for all users for the
sake of some. That's why I mentioned per login - in the meaning of per
session! So that roaming users may choose dependening on the current
connection.
> Nail down one user? Try to make an MD5 checksum from what the
> browser tells you: Version, Language used, Operating system used, ...
> If this changed, tell the user after login, ...
> If User/PW is not enough.
Sounds better but is not enough as the info may be spoofed easily.
Masi
More information about the TYPO3-dev
mailing list