Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Intacct.com: Multiple bugs at financial services company
From: "Smith, Eric V." <EricSmith () WINDSOR COM>
Date: Thu, 7 Sep 2000 18:20:33 -0400

-----Original Message-----
From: Alan DeKok [mailto:aland () STRIKER OTTAWA ON CA]
Sent: Wednesday, September 06, 2000 1:34 PM
Subject: Re: Intacct.com: Multiple bugs at financial services company

< excellent http authentication discussion deleted>

  The timeout information can be encoded in a cookie, too.  The server
can then verify that the cookie is out of date, deny access, and ask
"pretty-please" for the client to delete the cookie.

  If the client doesn't delete the cookie, they *still* can't gain
access, as the cookie itself contains information about when it

  e.g. cookie = MD5(secret + MD5(secret + expiry + client-IP +
client-ID)) + expiry + client-id

Wow, what a great post.  Thanks.

My only concern is that the client-IP can't really be used.  If the client
is using some sort of outbound round-robin http proxy (like CARP) then
there's no guarantee that any 2 calls from the same client will be from the
same IP address.  I've run into this problem with @home, among others, while
trying inbound load balancing and sending clients back to the same http
server.  It just won't work.  It's been suggested that instead of a single
IP address, use some subnet with a mask, but that's no more reliable since
it's not guaranteed either.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]