[ic] Naming of session files for proxied requests - incorrect ip's
Mike Heins
interchange-users@interchange.redhat.com
Mon Feb 4 02:08:01 2002
Quoting Andrew McBeath (andrew@ecombiz.co.nz):
> But... in the interests of 'correctness' how would the following go?
>
> change this line in Session.pm:
> $host = $CGI::host;
> to
> $host = $CGI::x_forwarded_for || $CGI::host;
>
> and add this line to Server.pm (line 85):
> 'x_forwarded_for' => 'HTTP_X_FORWARDED_FOR',
>
> I guess you'd need to check the RFC's for proxy standards to check which
> other headers you need to handle (if any...).
> not to mention checking whether other proxy vendors <troll>*cough*
> *Microsoft* *cough*</troll> decided they knew better than the RFC's and
> use their own headers/none at all... ;-)
I decided not to do this a long time ago. If you do this, an attacker
can access an arbitrary session just by putting that header in. If you
do this, you may as well run with "WideOpen Yes", which ignores the
IP address completely.
I suppose I could add a "PartlyOpen Yes" directive that would cause
Interchange to honor the header. 8-)
--
Red Hat, Inc., 3005 Nichols Rd., Hamilton, OH 45013
phone +1.513.523.7621 <mheins@redhat.com>
Friends don't let friends use Outlook. -- Bob Blaylock