Bug w/ bugzilla and loadbalancing

Stephan Kulow coolo at kde.org
Tue Sep 24 09:19:51 BST 2002


Am Tuesday 24 September 2002 01:40 schrieb Bradley Baetz:
> On Mon, 23 Sep 2002, Stephan Kulow wrote:
> > Who said I wouldn't want to store it in the DB? I just want to make the
> > cookie path canonial to the IP requested.
>
> I'm not sure what you mean. If the IP is stored in the DB, but then is
> verified against what the client sends, not its address, then theres not
> much point in having that check there at all, since it would then be
> trivially forgable (by design, in your case)
>
OK, the user knows his IP quite well, there is nothing to hide from it there.

So if the user requests login, he'll need to provide the cookie for
Bugzilla_login_$REMOTE_HOST_IP (i.e. Bugzilla_login_80_27_72_128).
Then this cookie is checked for the user and the IP $REMOTE_HOST_IP
to see if it's correct. 

The only thing that changes to the current solution is that you can
have two IPs without having to relogin when changing from one to
another. You're still only qualifying for that two IPs, not for the full
class C or B net as suggested - and you don't have to know netmasks
as bugzilla user :)

The only obvious drawback with my solution is that dialup users will collect
quite some cookies over time.

Greetings, Stephan





More information about the kde-core-devel mailing list