[ic] Naming of session files for proxied requests - incorrect ip's

Andrew McBeath interchange-users@interchange.redhat.com
Mon Feb 4 00:51:01 2002 

Hi all,

I just wrote a real dirty hack (i.e. not recommended as a production 
server fix) to carry the session between different secure and non-secure 
domains - 15 odd lines that detect the session id change and then copy 
the old session file over top of the new one *gasp*!! - no comments on 
that please,  i was only fiddling and that is not the topic of this post:

In the process, I was playing round with the handling of session data 
and noticed the following:

The session filename is constructed as 'session id:remote address' 
($Vend::SessionID:$CGI::host - in  Session.pm, session_name())

But... when using an ISP that uses Squid proxy, $CGI::Host is set to the 
proxy's IP - instead of the clients actual ip.
Furthermore, when I connected to the secure part of the site (not via 
the proxy) it created a new session file with my correct ip in place of 
the previous proxy's ip (port 443 evidently doesnt run through squid in 
this case).  - no surprise there as the 'different session between 
secure and non-secure domains' is a well known issue and not too hard to 
fix, but the real problem now comes because the ip component of my 
nonsecure session filename suddenly became my proper ip... leaving me 
with three session files...

I can't see this really being a problem in reality (indeed, probably 
only surfacing when doing what I just did), and would be fixed by 
properly dealing with the bigger issues here, i.e. get yourself a key 
for your domain... - (a topic already well discussed I think)... ;) 

But... in the interests of 'correctness' how would the following go?

change this line in Session.pm:
   $host = $CGI::host;
to
   $host = $CGI::x_forwarded_for || $CGI::host;

and add this line to Server.pm (line 85):   
   'x_forwarded_for' => 'HTTP_X_FORWARDED_FOR',

I guess you'd need to check the RFC's for proxy standards to check which 
other headers you need to handle (if any...).
not to mention checking whether other proxy vendors <troll>*cough* 
*Microsoft* *cough*</troll> decided they knew better than the RFC's and 
use their own headers/none at all... ;-)

Also, I was wondering what the next lines of code in Session.pm take 
care of:
       $proxy = index($host,"proxy");
       $host = substr($host,$proxy)
           if ($proxy >= 0);

That is, when does the $CGI::host string contain the word 'proxy'?

Cheers,

Andrew