Re: Intacct.com: Multiple bugs at financial services company

["Smith, Eric V." <EricSmith () WINDSOR COM>]

> -----Original Message-----
> From: Alan DeKok [mailto:aland () STRIKER OTTAWA ON CA]
> Sent: Wednesday, September 06, 2000 1:34 PM
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: Re: Intacct.com: Multiple bugs at financial services company

< excellent http authentication discussion deleted>

>   The timeout information can be encoded in a cookie, too.  The server
> can then verify that the cookie is out of date, deny access, and ask
> "pretty-please" for the client to delete the cookie.
>
>   If the client doesn't delete the cookie, they *still* can't gain
> access, as the cookie itself contains information about when it
> expires.
>
>   e.g. cookie = MD5(secret + MD5(secret + expiry + client-IP +
> client-ID)) + expiry + client-id

Wow, what a great post.  Thanks.

My only concern is that the client-IP can't really be used.  If the client
is using some sort of outbound round-robin http proxy (like CARP) then
there's no guarantee that any 2 calls from the same client will be from the
same IP address.  I've run into this problem with @home, among others, while
trying inbound load balancing and sending clients back to the same http
server.  It just won't work.  It's been suggested that instead of a single
IP address, use some subnet with a mask, but that's no more reliable since
it's not guaranteed either.

Eric.