[ic] Naming of session files for proxied requests - incorrect ip's

Mike Heins interchange-users@interchange.redhat.com
Mon Feb 4 11:36:01 2002 

Quoting Andrew McBeath (andrew@zeald.com):
> Mike Heins wrote:
> 
> > Quoting Andrew McBeath (andrew@ecombiz.co.nz):
> > 
> >> But... in the interests of 'correctness' how would the following go?
> >> 
> >> change this line in Session.pm:
> >>    $host = $CGI::host;
> >> to
> >>    $host = $CGI::x_forwarded_for || $CGI::host;
> >> 
> >> and add this line to Server.pm (line 85):   
> >>    'x_forwarded_for' => 'HTTP_X_FORWARDED_FOR',
> >> 
> >> I guess you'd need to check the RFC's for proxy standards to check which 
> >> other headers you need to handle (if any...).
> >> not to mention checking whether other proxy vendors <troll>*cough* 
> >> *Microsoft* *cough*</troll> decided they knew better than the RFC's and 
> >> use their own headers/none at all... ;-)
> > 
> > 
> > I decided not to do this a long time ago. If you do this, an attacker
> > can access an arbitrary session just by putting that header in. If you
> > do this, you may as well run with "WideOpen Yes", which ignores the
> > IP address completely.
> > 
> > I suppose I could add a "PartlyOpen Yes" directive that would cause
> > Interchange to honor the header. 8-)
> > 
> hmmm... that point hadnt occurred to me...
> I'll just drop that idea in the bin  :-)
> 

Thanks for bringing it up, though. Interchange has grown because of
ideas like that.


In fact, it isn't such a bad idea after all, and I might revisit it.
If we check the IP of the proxy server as well in the process and use
it, and record the IP of the *initial* acces from the client, it might
make sense.

As a solution to proxy problems with the secure server, I recommend
that people run in catalog.cfg:

	WideOpen      Yes
	SessionExpire 20 min

Twenty minutes is a short time, and since we never store credit
card numbers in the session it isn't too insecure.
-- 
Red Hat, Inc., 3005 Nichols Rd., Hamilton, OH  45013
phone +1.513.523.7621      <mheins@redhat.com>

Experience is what allows you to recognize a mistake the second
time you make it. -- unknown