From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Zelphir Kaltstahl Newsgroups: gmane.lisp.guile.user Subject: Re: mailmam, web bridge, forum, p2p (was: Diversification) Date: Thu, 24 Oct 2019 18:39:54 +0200 Message-ID: <11d013a9-74af-95e7-67d0-497682c268e3@posteo.de> References: <-IsD5PBFie-kW2VJSYNHx00LodtSHflKNWtY2vjNVQDN126iTMsqHrdxl8zeWE8a53TzM_27wskjsrylIh4bN5jIGVNYOBC6zmE3p1RGyBg=@protonmail.com> <20191023064813.6igo2qi2cwtcz5bz@pelzflorian.localdomain> <20191023113724.bf055453852ec206af8d7bef@gmail.com> <20191023112544.5s65wrzbexnlsj22@pelzflorian.localdomain> <20191023123343.wanooc44orpyo7tk@pelzflorian.localdomain> <20191024123023.rvedpc5uqrm5ku6v@pelzflorian.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="125494"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0 To: guile-user@gnu.org Original-X-From: guile-user-bounces+guile-user=m.gmane.org@gnu.org Thu Oct 24 19:43:59 2019 Return-path: Envelope-to: guile-user@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iNh9P-000WQ9-Da for guile-user@m.gmane.org; Thu, 24 Oct 2019 19:43:55 +0200 Original-Received: from localhost ([::1]:49202 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iNh9N-0008V6-J8 for guile-user@m.gmane.org; Thu, 24 Oct 2019 13:43:53 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:60547) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iNg9d-0004W4-LO for guile-user@gnu.org; Thu, 24 Oct 2019 12:40:06 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iNg9Z-00056s-DM for guile-user@gnu.org; Thu, 24 Oct 2019 12:40:03 -0400 Original-Received: from mout02.posteo.de ([185.67.36.66]:43913) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iNg9W-00054B-OX for guile-user@gnu.org; Thu, 24 Oct 2019 12:39:59 -0400 Original-Received: from submission (posteo.de [89.146.220.130]) by mout02.posteo.de (Postfix) with ESMTPS id F0F242400FB for ; Thu, 24 Oct 2019 18:39:55 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1571935196; bh=1NSNXtYBtjsN4xWluirEWNWH0HGCeh0IwynDX8IAau8=; h=Subject:To:From:Date:From; b=q6fbmzg8IzRJsZWae1ncojjHXS1OS6QuSYTwfKmR/nQhOz1JZWKJdlppnVgRTVruH vinFZMz2otEhpufvcRq/zpURtrodZX68LgOxqJCnlPVEQUZzP7ZFrUMYyHAKOBKRgo GxZ1DDfLft37T0Kc+RT73fdu8Zj0b7flolAo1jR3O/tPzgPIpqS9fWKO2bWPSpCxVy AD0QUA1hOfWxz770TbqpMzezk8tjY7xQ23QG+oxTx7342fuhwoCRf9Gf3n8+0IpTcn KdFeFqlnUBR/IPbCG6NqGo2/hC44iruCjGoJd4ihDCoQSC8ZDgAYNAnR/tij9EX4no FZoY/WtS3eKdQ== Original-Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 46zXyz1nL7z9rxM for ; Thu, 24 Oct 2019 18:39:55 +0200 (CEST) In-Reply-To: Content-Language: en-US X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 185.67.36.66 X-BeenThere: guile-user@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: General Guile related discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-user-bounces+guile-user=m.gmane.org@gnu.org Original-Sender: "guile-user" Xref: news.gmane.org gmane.lisp.guile.user:15827 Archived-At: Hi Nala! I have a question regarding this IP check. Does this mean that both, the IP address and (logical and) the cookie need to be correct, or is it an inclusive logical or? I sometimes find myself switching location of the server of the VPN I am using. In such a case, would I still be logged in, based on the correct cookie, or would I be logged out, because my IP address does not match my previous address? Regards, Zelphir On 10/24/19 4:15 PM, Nala Ginrut wrote: > On Thu, Oct 24, 2019 at 8:30 PM pelzflorian (Florian Pelz) < > pelzflorian@pelzflorian.de> wrote: > >> Because of login CSRF the Referer header should also be verified for >> all links internal to the website (external links should strip the >> Referer header via redirect pages similar to what the code attached to >> this mail does). >> >> I do not know what Artanis does currently. I will check next week. >> >> > The current Artanis will check both session token (from cookies) and the > client IP. > This method was blamed to be overkilled because some users may be in the > same LAN with a unique external IP. > But I think IPv6 will cover this world finally, so I think this would be > the best way to go. > Of course, there's no conflict to add extra verification token. Patches or > proposals are welcome. ;-) > > Best regards.