Closed Bug 570686 Opened 15 years ago Closed 14 years ago

[SSO] Bind session cookie to client IP address

Categories

(Webtools Graveyard :: SSO (Legacy), defect, P1)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: wenzel, Assigned: wenzel)

Details

(Whiteboard: [infrasec:auth])

Much like we do on bugzilla and other places, the SSO session cookie should be valid for its original IP address only.
Component: Webdev → SSO
Product: mozilla.org → Webtools
QA Contact: webdev → sso
Whiteboard: [infrasec:auth]
Priority: -- → P1
Assignee: fwenzel → nobody
This is fixed: http://github.com/mozilla/secret-squirrel/commit/85b5f61 Notes: - I used django-paranoid-sessions[1], which can do even more to ensure session safety than what we are using it for now. I only switched on remote IP checking, however. Michael, you might want to check out what else that package offers, for inspiration :). - I wrote a test that ensures an established session is logged out when the client IP changes. - I am using commonware's remote IP middleware to check the client IP vs. our load balancer's IP (which would be useless). - Ozten: You have to ``pip install -r requirements/dev.txt``. [1] http://github.com/rfk/django-paranoid-sessions/
Assignee: nobody → fwenzel
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.