[Date Prev][Date Next][Thread Prev][Thread Next][Interchange by date
][Interchange by thread
]
[ic] Naming of session files for proxied requests - incorrect ip's
Mike Heins wrote:
> Quoting Andrew McBeath (andrew@ecombiz.co.nz):
>
>> But... in the interests of 'correctness' how would the following go?
>>
>> change this line in Session.pm:
>> $host = $CGI::host;
>> to
>> $host = $CGI::x_forwarded_for || $CGI::host;
>>
>> and add this line to Server.pm (line 85):
>> 'x_forwarded_for' => 'HTTP_X_FORWARDED_FOR',
>>
>> I guess you'd need to check the RFC's for proxy standards to check which
>> other headers you need to handle (if any...).
>> not to mention checking whether other proxy vendors <troll>*cough*
>> *Microsoft* *cough*</troll> decided they knew better than the RFC's and
>> use their own headers/none at all... ;-)
>
>
> I decided not to do this a long time ago. If you do this, an attacker
> can access an arbitrary session just by putting that header in. If you
> do this, you may as well run with "WideOpen Yes", which ignores the
> IP address completely.
>
> I suppose I could add a "PartlyOpen Yes" directive that would cause
> Interchange to honor the header. 8-)
>
hmmm... that point hadnt occurred to me...
I'll just drop that idea in the bin :-)
Thanks,
Andrew