Re: Session IP address matching
Ralf Lang wrote:
We have this security feature in userspace code in Horde 3-5, but it's
of limited value because all installations with corporate network users
need to turn it off (because their IPs are constantly changing).
It is probably worth flagging a different problem I've been hitting recently! Many of the browsers I am serving are at fixed locations, so the machine name/ip address determines that I'm processing say 'Counter 3' and so I can make announcements and update displays to call to the correct location. However the use of 'virtual' devices means that there is no fixed information returned for the physical device :( The IP address can change between each use of a counter location as a different 'virtual' device is picked up. Since the ip address is a critical part of our anti-fraud checks, these sites are now actually failing to meet critical security requirements, but that is currently being ignored! Logging the physical location of each session has always worked in the past, but is now compromised as any device on the network can pretend to be at a secure location. Cash payment terminals are a good example of a problem area. Properly implemented the risk can be reduced, but that requires IT departments actually knowing what they are doing :)
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk
Thread (29 messages)