[ic] Naming of session files for proxied requests - incorrect ip's

Andrew McBeath interchange-users@interchange.redhat.com
Mon Feb 4 04:19:00 2002


Mike Heins wrote:

> Quoting Andrew McBeath (andrew@ecombiz.co.nz):
> 
>> But... in the interests of 'correctness' how would the following go?
>> 
>> change this line in Session.pm:
>>    $host = $CGI::host;
>> to
>>    $host = $CGI::x_forwarded_for || $CGI::host;
>> 
>> and add this line to Server.pm (line 85):   
>>    'x_forwarded_for' => 'HTTP_X_FORWARDED_FOR',
>> 
>> I guess you'd need to check the RFC's for proxy standards to check which 
>> other headers you need to handle (if any...).
>> not to mention checking whether other proxy vendors <troll>*cough* 
>> *Microsoft* *cough*</troll> decided they knew better than the RFC's and 
>> use their own headers/none at all... ;-)
> 
> 
> I decided not to do this a long time ago. If you do this, an attacker
> can access an arbitrary session just by putting that header in. If you
> do this, you may as well run with "WideOpen Yes", which ignores the
> IP address completely.
> 
> I suppose I could add a "PartlyOpen Yes" directive that would cause
> Interchange to honor the header. 8-)
> 
hmmm... that point hadnt occurred to me...
I'll just drop that idea in the bin  :-)

Thanks,

Andrew