Facebook Exploits

[White_Eskimo]

I really do think that the best solution is to store the user's IP address inside of the spawned session. If someone tries to access the site with the same cookie credentials but the wrong IP address, they will be denied access. If they attempt to spoof the IP address, then the server will respond to the spoofed IP address and NOT the malicious hacker. The innocent user's machine will deny the packet automatically because there was never a request made. Information should be stored both on the client and server side. If all of the necessary information is stored in one area, it is very prone to failure and attack.

Hey Nihil, I was hoping we could change the direction of the conversation so that I can get your input about my suggested fix.


What do you think of storing unique information on both the server and client side. In order to protect NATed users, I recommend storing both the user's IP address and his/her MAC address. Because each IP address must be mapped to a single MAC address according to RFC 826 (ARP), a malicious hacker on the NATed subnet cannot spoof a user's account. If she/he were to make a request and spoof the correct user's MAC address, the NAT router would attempt to route the packet back to the computer with the original user's MAC address where it would be dropped. I think that this is the best solution. The only downside is that the server needs to store more information in RAM. Do you see any failures or problems with this approach that I may have overlooked? Thanks!