Re: FW: Apache::Session / No-Cookie-Tracking

[James G Smith <JG...@TAMU.Edu>]

Jonathan Hilgeman <JH...@ecx.com> wrote:
[snip]
>I accidentally caught them during testing or something and got a variable on
>the URL line. (I substituted the domain name - it's not really cart.com)
>http://www.cart.com/cgi-bin/cart.cgi?cartidnum=208.144.33.190T990806951R5848
>E
>
>cartidnum seems to be:
>$IP-Address + "T" + Unix-TimeStamp + "R" + Unknown number + "E"
>
>By the way, the session only seems to active until the browser completely
>shuts down. Any ideas? If I could identify my users on another site without
>using cookies at all, that would be fantastic!

Be careful with using too much magic.

I recently tested/evaluated a product to provide a web interface for email.  
It appears that it uses a combination IP address and URL to track 
authenticated users.  For example, if I authenticated as foo from 192.168.0.4, 
then as long as I was coming from 192.168.0.4, I could read foo's email, even 
if I was someone else logged into the machine.  The proper URL would be of the 
form http://192.168.0.10/foo (if 192.168.0.10 were the server).

While it is nice to assume one person per IP address, there are many cases 
when this is not true.  In the product I evaluated, guessing the proper URL to 
read someone else's email was trivial.  Going through an SSL proxy didn't mask 
the behavior, just required the use of openssl's client.

In the example you give, the timestamp and unknown number may make it more 
difficult to guess the proper information.  This is a good thing.

Without some information passing between the client and server that is only 
known to them, it is too easy to spoof the client and access a session 
unauthorized.  There is also no way to distinguish two clients on the same 
machine, especially if they are the same application.
-- 
James Smith <JG...@TAMU.Edu>, 979-862-3725
Texas A&M CIS Operating Systems Group, Unix