[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mailmam, web bridge, forum, p2p (was: Diversification)

From: Zelphir Kaltstahl
Subject: Re: mailmam, web bridge, forum, p2p (was: Diversification)
Date: Thu, 24 Oct 2019 18:39:54 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0

Hi Nala!

I have a question regarding this IP check.

Does this mean that both, the IP address and (logical and) the cookie
need to be correct, or is it an inclusive logical or?

I sometimes find myself switching location of the server of the VPN I am
using. In such a case, would I still be logged in, based on the correct
cookie, or would I be logged out, because my IP address does not match
my previous address?



On 10/24/19 4:15 PM, Nala Ginrut wrote:
> On Thu, Oct 24, 2019 at 8:30 PM pelzflorian (Florian Pelz) <
> address@hidden> wrote:
>> Because of login CSRF the Referer header should also be verified for
>> all links internal to the website (external links should strip the
>> Referer header via redirect pages similar to what the code attached to
>> this mail does).
>> I do not know what Artanis does currently.  I will check next week.
> The current Artanis will check both session token (from cookies) and the
> client IP.
> This method was blamed to be overkilled because some users may be in the
> same LAN with a unique external IP.
> But I think IPv6 will cover this world finally, so I think this would be
> the best way to go.
> Of course, there's no conflict to add extra verification token. Patches or
> proposals are welcome. ;-)
> Best regards.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]