durusmail: quixote-users: a small patch
a small patch
2002-10-08
2002-10-08
2002-10-09
2002-10-09
2002-10-09
2002-10-09
2002-10-10
2002-10-10
2002-10-10
a small patch
Mikhail Sobolev
2002-10-09
On Wed, Oct 09, 2002 at 02:36:23PM -0400, Greg Ward wrote:
> On 08 October 2002, Jonathan Corbet said:
> > That's the same patch that I submitted a while back.  I've not looked to
> > see if it went into 0.51, or if the alternative - removing the
> > CHECK_SESSION_ADDR option entirely - was taken instead.
>
> D'ohh!  As I recall, the consensus was in favour of removing that
> feature.  (Ie. Neil and I agreed to nuke it, and you didn't object.)
> But no one ever did.  *And* the bug was never fixed -- which just
> indicates that Mikhail is the only person actually using this feature.
>
> Mikhail, I'm going to check in your patch -- but now it's your turn.
> Please convince us that CHECK_SESSION_ADDR really is a useful feature
> and should not be removed.
Hmm.. I am not sure I know how to convince you. :)  Well, let's try it.

You know, there are people called paranoid.  But being paranoid does not
mean they do not watch you. :)  Seriously, I consider it a security flaw
when catching a session cookie may allow a men-in-the-middle to access
some sensitive information.  So in cases when there is such a risk, an
approach where you check the ip address of the incoming request seems to
be reasonable.  So people who would want to perform such a check would
have to re-implement it all the time.  From the other hand, I did not
hear your thoughts for getting rid of this feature, maybe you somehow
addressed this already.

I also believe that in Jon's case (lwn.net) the main aim is to make the
whole process rather pleasant for the visitors, so this check would be
unnecessary as [I believe] no that sensitive information is stored
anywhere.

Hoping for the better, :)

--
Misha


reply