Bug w/ bugzilla and loadbalancing

Bradley Baetz bbaetz at student.usyd.edu.au
Sat Sep 21 00:31:34 BST 2002


On Sat, 21 Sep 2002, Stephan Kulow wrote:

> Currently you have to relogin whenever you change location/IP. With the 
> purposed patch you can give up any security (taking that the home is in
> some dialup network while the office is in the company's network - not
> even class B net) or relogin on any change.

Well, my latest patch allows the user, when they login, to have the option 
of restricting the login to the current class C (although the admin could 
change that to any netmask they want)

In the laptop-moving-from-work-to-home scenario, though, you only have to
login once per move - I don't see that as an issue, really, since it sonly
going to happen 2-3 times a day. The problem which bug 20122 is trying to
solve is that people who are behind multiple transparent proxies (ie me)
have to log on all the time, every few minutes.

> 
> My suggestion is: keep the IP in the cookie path, so you have to login for
> any new IP, but never again as long as you have the cookie.

But thats no security at all, because if you don't store the IP in the db, 
then the user can bypass the restrictions by chaning the cookie, and if 
you do store the IP in the db, then another user can bypass the IP 
restrictions by sniffing your connetion, and sending back that IP.

Or am I missing something?

> 
> Greetings, Stephan
> 

Bradley





More information about the kde-core-devel mailing list