Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Security Coordinator (securityaptusventures.com)
Date: Fri Feb 08 2002 - 12:00:12 CST
On Friday 08 February 2002 11:02, John Percival wrote:
> > The most important assumption made was the unreliability of the info
> > we were using for the message. If a client's IP address changed during
> > a session, guess what? That session was no longer valid, and they
> > were forced to re-authenticate. (In fact, most exceptions dumped the
> > user to a login page, but we were pressed for time.) All that mattered
> > was that most of the users could access most of the site most of the
> > time. The few random users whose IP addresses mysteriously changed
> > between sessions (null values were considered valid), were forced back to
> > the login page.
> I just wanted to pick up on a small point here: when writing sessions
> support, we had big problems, because we frequently found users whose IP
> address changed through the session. This, we eventually found out, was
> because of proxies: or at least a group of proxies, and the user was passed
> between different proxies as the session went on. One place that I know
> that this technology is in place is UK's JANET - through which many
> students get online. There are, say, 5 proxy servers on the network, and
> when you request a page, your request can go through any one of the 5
> proxies, and thus have any one of 5 IP addresses.
> We did not find a good solution to this in the end. I'm not sure if anyone
> else has got suggestions of how to get around this issue?
Don't proxy servers add some HTTP headers for just this very reason? Granted
there are anonymizing proxies that don't, but who wants secure anonymous
access control, its an oxymoron.