[Date Prev][Date Next][Thread Prev][Thread Next][Interchange by date ][Interchange by thread ]

[ic] Naming of session files for proxied requests - incorrect ip's

Subject: [ic] Naming of session files for proxied requests - incorrect ip's
From: interchange-users@interchange.redhat.com (Mike Heins)
Date: Mon Feb 4 11:36:01 2002
In-reply-to: <3C5E516E.8030201@zeald.com>; from andrew@zeald.com on Mon, Feb 04, 2002 at 10:16:30PM +1300
References: <3C5E20AE.4030000@ecombiz.co.nz> <20020204020807.A27966@bill.heins.net> <3C5E516E.8030201@zeald.com>

Quoting Andrew McBeath (andrew@zeald.com):
> Mike Heins wrote:
> 
> > Quoting Andrew McBeath (andrew@ecombiz.co.nz):
> > 
> >> But... in the interests of 'correctness' how would the following go?
> >> 
> >> change this line in Session.pm:
> >>    $host = $CGI::host;
> >> to
> >>    $host = $CGI::x_forwarded_for || $CGI::host;
> >> 
> >> and add this line to Server.pm (line 85):   
> >>    'x_forwarded_for' => 'HTTP_X_FORWARDED_FOR',
> >> 
> >> I guess you'd need to check the RFC's for proxy standards to check which 
> >> other headers you need to handle (if any...).
> >> not to mention checking whether other proxy vendors <troll>*cough* 
> >> *Microsoft* *cough*</troll> decided they knew better than the RFC's and 
> >> use their own headers/none at all... ;-)
> > 
> > 
> > I decided not to do this a long time ago. If you do this, an attacker
> > can access an arbitrary session just by putting that header in. If you
> > do this, you may as well run with "WideOpen Yes", which ignores the
> > IP address completely.
> > 
> > I suppose I could add a "PartlyOpen Yes" directive that would cause
> > Interchange to honor the header. 8-)
> > 
> hmmm... that point hadnt occurred to me...
> I'll just drop that idea in the bin  :-)
> 

Thanks for bringing it up, though. Interchange has grown because of
ideas like that.


In fact, it isn't such a bad idea after all, and I might revisit it.
If we check the IP of the proxy server as well in the process and use
it, and record the IP of the *initial* acces from the client, it might
make sense.

As a solution to proxy problems with the secure server, I recommend
that people run in catalog.cfg:

	WideOpen      Yes
	SessionExpire 20 min

Twenty minutes is a short time, and since we never store credit
card numbers in the session it isn't too insecure.
-- 
Red Hat, Inc., 3005 Nichols Rd., Hamilton, OH  45013
phone +1.513.523.7621      <mheins@redhat.com>

Experience is what allows you to recognize a mistake the second
time you make it. -- unknown

References:
- [ic] Naming of session files for proxied requests - incorrect ip's
  - From: interchange-users@interchange.redhat.com (Andrew McBeath)
- [ic] Naming of session files for proxied requests - incorrect ip's
  - From: interchange-users@interchange.redhat.com (Mike Heins)
- [ic] Naming of session files for proxied requests - incorrect ip's
  - From: interchange-users@interchange.redhat.com (Andrew McBeath)

Prev by Date: [ic] Intermittent PGP failures & Lost credit card info
Next by Date: [ic] Intermittent PGP failures & Lost credit card info
Previous by thread: [ic] Page scan SQL problems
Next by thread: [ic] Intermittent PGP failures & Lost credit card info
Index(es):
- Date
- Thread