Closed
Bug 570686
Opened 15 years ago
Closed 14 years ago
[SSO] Bind session cookie to client IP address
Categories
(Webtools Graveyard :: SSO (Legacy), defect, P1)
Webtools Graveyard
SSO (Legacy)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: wenzel, Assigned: wenzel)
Details
(Whiteboard: [infrasec:auth])
Much like we do on bugzilla and other places, the SSO session cookie should be valid for its original IP address only.
Assignee | ||
Updated•15 years ago
|
Component: Webdev → SSO
Product: mozilla.org → Webtools
Updated•15 years ago
|
QA Contact: webdev → sso
Updated•15 years ago
|
Whiteboard: [infrasec:auth]
Assignee | ||
Updated•15 years ago
|
Priority: -- → P1
Assignee | ||
Updated•14 years ago
|
Assignee: fwenzel → nobody
Assignee | ||
Comment 1•14 years ago
|
||
This is fixed:
http://github.com/mozilla/secret-squirrel/commit/85b5f61
Notes:
- I used django-paranoid-sessions[1], which can do even more to ensure session safety than what we are using it for now. I only switched on remote IP checking, however. Michael, you might want to check out what else that package offers, for inspiration :).
- I wrote a test that ensures an established session is logged out when the client IP changes.
- I am using commonware's remote IP middleware to check the client IP vs. our load balancer's IP (which would be useless).
- Ozten: You have to ``pip install -r requirements/dev.txt``.
[1] http://github.com/rfk/django-paranoid-sessions/
Assignee: nobody → fwenzel
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Product: Webtools → Webtools Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•