Bug w/ bugzilla and loadbalancing
Dirk Mueller
mueller at kde.org
Fri Sep 20 00:44:17 BST 2002
On Don, 19 Sep 2002, Daniel Naber wrote:
> > But I feel unsafe in changing that. Could someone explain?
> http://bugzilla.mozilla.org/show_bug.cgi?id=20122
> So long actually that I didn't read it :-)
Read it. Basically its just a security measure against a cookie stealing
attack.
However, all of them are sick of this restriction. There are 3 suggestions,
none of them currently implemented:
a) make it check a "netmask" only. i.e. check the first 16 bits of the IP
if they still match
b) add a "loosely login" checkbox that makes it ignore the IP check
c) make it use the HTTP_X_FORWARDED_FOR HTTP Header, which would fix the
problem of a changing IP behind rotating Proxy servers.
Problem is here that often this header isn't there for privacy reasons
or it contains a private IP address in case of NAT (Simon's case).
-> useless.
IMHO reducing it to a class C netmask check would be the best thing to do.
it is very unlikely that rotating proxy servers aren't in the same subnet
for arp-proxying reasons.
There is a patch for this case attached to the bugreport but it doesn't seem
to be optimal. at least not clean enough for committing it.
--
Dirk (received 65 mails today)
More information about the kde-core-devel
mailing list