On Wed, Oct 09, 2002 at 02:36:23PM -0400, Greg Ward wrote: > On 08 October 2002, Jonathan Corbet said: > > That's the same patch that I submitted a while back. I've not looked to > > see if it went into 0.51, or if the alternative - removing the > > CHECK_SESSION_ADDR option entirely - was taken instead. > > D'ohh! As I recall, the consensus was in favour of removing that > feature. (Ie. Neil and I agreed to nuke it, and you didn't object.) > But no one ever did. *And* the bug was never fixed -- which just > indicates that Mikhail is the only person actually using this feature. > > Mikhail, I'm going to check in your patch -- but now it's your turn. > Please convince us that CHECK_SESSION_ADDR really is a useful feature > and should not be removed. Hmm.. I am not sure I know how to convince you. :) Well, let's try it. You know, there are people called paranoid. But being paranoid does not mean they do not watch you. :) Seriously, I consider it a security flaw when catching a session cookie may allow a men-in-the-middle to access some sensitive information. So in cases when there is such a risk, an approach where you check the ip address of the incoming request seems to be reasonable. So people who would want to perform such a check would have to re-implement it all the time. From the other hand, I did not hear your thoughts for getting rid of this feature, maybe you somehow addressed this already. I also believe that in Jon's case (lwn.net) the main aim is to make the whole process rather pleasant for the visitors, so this check would be unnecessary as [I believe] no that sensitive information is stored anywhere. Hoping for the better, :) -- Misha