Bug w/ bugzilla and loadbalancing

Kurt Pfeifle kpfeifle at danka.de
Tue Sep 24 09:58:44 BST 2002

Stephan Kulow wrote:
> Am Tuesday 24 September 2002 01:40 schrieb Bradley Baetz:
>>On Mon, 23 Sep 2002, Stephan Kulow wrote:
>>>Who said I wouldn't want to store it in the DB? I just want to make the
>>>cookie path canonial to the IP requested.
>>I'm not sure what you mean. If the IP is stored in the DB, but then is
>>verified against what the client sends, not its address, then theres not
>>much point in having that check there at all, since it would then be
>>trivially forgable (by design, in your case)
> OK, the user knows his IP quite well, there is nothing to hide from it there.
> So if the user requests login, he'll need to provide the cookie for
> Bugzilla_login_$REMOTE_HOST_IP (i.e. Bugzilla_login_80_27_72_128).
> Then this cookie is checked for the user and the IP $REMOTE_HOST_IP
> to see if it's correct. 

What happens with people behind a firewall, which imposes NAT on them?
They will all appear as coming from the same IP address? Will this have
any implications? (Probably not, it's just like different users on
on multi-user system; but then, I don't understand too much about security
and such stuff...)

> The only thing that changes to the current solution is that you can
> have two IPs without having to relogin when changing from one to
> another. You're still only qualifying for that two IPs, not for the full
> class C or B net as suggested - and you don't have to know netmasks
> as bugzilla user :)
> The only obvious drawback with my solution is that dialup users will collect
> quite some cookies over time.
> Greetings, Stephan

More information about the kde-core-devel mailing list