[Typo3-dev] Security Problem - HTML

Martin Kutschker Martin.T.Kutschker at blackbox.net
Wed Sep 24 09:05:47 CEST 2003


Date: Tue, 23 Sep 2003 17:31:54 +0200
From: "Peter Russ :: 4Dfx" <peter.russ at 4dfx.de>

René Fritz schrieb:

>> So why not make the security stronger than to make workarounds. Which
>> means to include the IP from where a user logged in, in the current
>> session.
>
> This might be a problem as the IP address
> 1) might change if it is a dialed connection or with timeout
> 2) with router you might see only 1 IP address for tons of user.

3) A proxy might hide the IP at all or change it constantly!

So, yes possibly you won't get any enhanced security. OTOH little efforst for little security seems to be justified. But make it configurable per session. So the users can temporarily disable it if they are behind a proxy or a firewall.

BTW, it'd be nice to offer IP checking also for FE users.

Masi 





More information about the TYPO3-dev mailing list