Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:71561
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 76582 invoked from network); 25 Jan 2014 15:52:52 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Jan 2014 15:52:52 -0000
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.204 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 217.147.176.204 mail4.serversure.net Linux 2.6
Received: from [217.147.176.204] ([217.147.176.204:48282] helo=mail4.serversure.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D3/B2-53277-2DDD3E25 for <internals@lists.php.net>; Sat, 25 Jan 2014 10:52:51 -0500
Received: (qmail 14584 invoked by uid 89); 25 Jan 2014 15:52:46 -0000
Received: by simscan 1.3.1 ppid: 14578, pid: 14581, t: 0.0633s
         scanners: attach: 1.3.1 clamav: 0.96/m:52
Received: from unknown (HELO linux-dev4.lsces.org.uk) (lester@rainbowdigitalmedia.org.uk@81.138.11.136)
  by mail4.serversure.net with ESMTPA; 25 Jan 2014 15:52:46 -0000
Message-ID: <52E3DE57.8030806@lsces.co.uk>
Date: Sat, 25 Jan 2014 15:55:03 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 SeaMonkey/2.23
MIME-Version: 1.0
To: internals@lists.php.net
References: <CAPhkiZyMULFgCoTaaqtwx_34ovTX-36dTdVUgMXE_aWPd5O+WQ@mail.gmail.com>	<52E31FB6.9010408@ajf.me> <CAPhkiZwv_S1DwVhAMKfnzhJD1qycEwowVZ+BG8PTFQLX9GyNsw@mail.gmail.com> <52E3C606.6000301@heigl.org> <52E3CBBB.6070003@b1-systems.de>
In-Reply-To: <52E3CBBB.6070003@b1-systems.de>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Session IP address matching
From: lester@lsces.co.uk (Lester Caine)

Ralf Lang wrote:
> We have this security feature in userspace code in Horde 3-5, but it's
> of limited value because all installations with corporate network users
> need to turn it off (because their IPs are constantly changing).

It is probably worth flagging a different problem I've been hitting recently! 
Many of the browsers I am serving are at fixed locations, so the machine name/ip 
address determines that I'm processing say 'Counter 3' and so I can make 
announcements and update displays to call to the correct location. However the 
use of 'virtual' devices means that there is no fixed information returned for 
the physical device :( The IP address can change between each use of a counter 
location as a different 'virtual' device is picked up. Since the ip address is a 
critical part of our anti-fraud checks, these sites are now actually failing to 
meet critical security requirements, but that is currently being ignored! 
Logging the physical location of each session has always worked in the past, but 
is now compromised as any device on the network can pretend to be at a secure 
location. Cash payment terminals are a good example of a problem area. Properly 
implemented the risk can be reduced, but that requires IT departments actually 
knowing what they are doing :)

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk