How to continually verify authentication throughout a web application?

Simply changing your session ID, or token, or whatever, won't help you. It would be easy to automate its usage You have step #1 down... using SSL. That helps prevent someone from getting the data in the first place You should also keep track of the client IP address on the server, so that if you get a request for a particular session and the IP doesn't match, you know right away that someone is spoofing or that the user has a new address, in which they should re-authenticate There are many other methods.

I've seen a few around Stack Overflow. I will post them here as I find them, but it is often best to use a combination of techniques.

Simply changing your session ID, or token, or whatever, won't help you. It would be easy to automate its usage. You have step #1 down... using SSL.

That helps prevent someone from getting the data in the first place. You should also keep track of the client IP address on the server, so that if you get a request for a particular session and the IP doesn't match, you know right away that someone is spoofing or that the user has a new address, in which they should re-authenticate. There are many other methods.

I've seen a few around Stack Overflow. I will post them here as I find them, but it is often best to use a combination of techniques.

I thought about using the client's IP with the token. The two together would definitly help but I noticed when testing on my home server that my pc and my gf's pc were seen as the same IP because they are behind the same router. So anyone listening on the same network wouldn't need to spoof their IP, the router kind of does that for them.

Unless I also added in RemotePort. Can't spoof that one without having admin priviledges on the router – Spidy Mar 28 at 3:37 You absolutely cannot rely on remote port. The client can use whatever port it wants, and you should not rely on it being the same one every time.

The reason you and your girlfriend show up as the same IP is that you only have one actual public IP address. The rest are in a private subnet, and NAT is used to traverse the two networks. Nothing you can do about that, so don't waste time on it.

– Brad Mar 28 at 3:51 Also, you definitely can pick any port you want to connect out to a server on. No router changes necessary, it has nothing to do with it. So, even if you could rely on it being the same for a particular user, it is extremely easy to "spoof"... no spoofing required, just use the same port.

– Brad Mar 28 at 3:53 You're right, I forgot the router assigns a port at will. I know why we show up as the same IP and its what makes me worry about an attack still being possible from someone on the same subnet as another. Thanks for pointing out that port flaw.

Guess this question is still unsolved for the most part. – Spidy Mar 28 at 4:19.

There's a good discussion of this issue here, along with an advert for a product called hdiv that claims to make it all work securely: theserverside.com/news/1363675/Are-Java-....

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.

Related Questions