On Friday 08 February 2002 11:02, John Percival wrote:
> > The most important assumption made was the unreliability of the info
> > we were using for the message. If a client's IP address changed during
> > a session, guess what? That session was no longer valid, and they
> > were forced to re-authenticate. (In fact, most exceptions dumped the
> > user to a login page, but we were pressed for time.) All that mattered
> > was that most of the users could access most of the site most of the
> > time. The few random users whose IP addresses mysteriously changed
> > between sessions (null values were considered valid), were forced back to
> > the login page.
>
> I just wanted to pick up on a small point here: when writing sessions
> support, we had big problems, because we frequently found users whose IP
> address changed through the session. This, we eventually found out, was
> because of proxies: or at least a group of proxies, and the user was passed
> between different proxies as the session went on. One place that I know
> that this technology is in place is UK's JANET - through which many
> students get online. There are, say, 5 proxy servers on the network, and
> when you request a page, your request can go through any one of the 5
> proxies, and thus have any one of 5 IP addresses.
>
> We did not find a good solution to this in the end. I'm not sure if anyone
> else has got suggestions of how to get around this issue?
>
> John

Don't proxy servers add some HTTP headers for just this very reason? Granted
there are anonymizing proxies that don't, but who wants secure anonymous
access control, its an oxymoron.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]