mailing list archives
Re: [PEN-TEST] Your opinions are solicited ...
From: "L.W." <eldub () POBOX COM>
Date: Tue, 31 Oct 2000 09:51:59 -0800
-> > -----Original Message-----
-> > From: Paul Robinson [mailto:paul () AKITANET CO UK]
-> > Sent: Tuesday, October 31, 2000 9:59 AM
-> > [...]
-> > In
-> > addition I'd probably do some session-authentication with
-> > changing cookies
-> > per transaction, combined with IP authentication.
-> > [...]
-> IP authentication? In today's world or access through NATed firewall
-> or proxy servers, or providers like AOL, all in an Internet
-> environment increasingly becoming akamaied... uhm... cached, I
-> strongly doubt that IP authentication is viable. Take AOL users for
-> example: One request appears to be coming from proxy1.aol.com, the
-> next request from proxy3.aol.com. That would mean that your 'IP
-> authenticated' web page will invalidate the second request.
Actually, many systems allow SSL sessions to bypass the proxy (many online
services, especially banks, require a direct connections for SSL). This
makes IP-based authentication possible under that context, although not
eldub () pobox com