[ic] process.html 404 errors

Peter peter at pajamian.dhs.org
Mon Mar 15 19:51:53 UTC 2010


On 15/03/10 08:29, Grant wrote:
>>>>>> This would appear to be due to the timed build of the product tree.
>>>  Any
>>>>>> suggestions on how to best work around that?  Perhaps only
>>> timed_build
>>>>>> if a cookie is present?
>>> I don't use a timed build so the issue I'm seeing must be different,

Are you sure?  If you're using the standard demo unmodified then you are
using a timed build for the product tree.

>>> but I think I've found an IC bug.  I've just seen the same problem
>>> again from another Mac/Safari user:
>>>
>>> Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us)
>>> AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9
>>>
>>> The user had a [read-cookie MV_SESSION_ID] value containing a
>>> different IP address from a previous visit a few days earlier.  That
>>> previous visit worked perfectly, I can see that the session ID was
>>> consistent throughout the IP's activity.  During the user's most
>>> recent visit on a new IP, the session ID changed with every page
>>> access.

Session cookies are not really meant to be stored persistently.  If a
dynamic IP address changes during a session you can indeed have issues.
 DomainTail (which is set to yes by default) can help out in this situation.

>>> Since the MV_SESSION_ID cookie should expire at the end of every
>>> browser session, I'm thinking the user must have visited the site via
>>> one connection, and then switched connections without closing the
>>> browser.  The session cookie containing the wrong IP address must be
>>> causing IC's session persistence to fail.

This is possible.  If the new IP address resolves to a different domain
than the old then DomainTail won't help with this.

>>> Can anyone here access the internet via 2 different IPs to test this?
>>> Even better if you can use Safari, even better if you can use a Mac.
>> No Mac/Safari, but tried some with 2 different IPs while having old browser
>> open etc.
>> I tested on demo.icdevgroup.org  ...
>>
>> I did not experience any issues with my tests.

The two IPs will need to resolve to different domains unless DomainTail
has explicitly been set to no.

>> Do you use one of the following directives:
>> http://www.interchange.rtfm.info/icdocs/config/DomainTail.html
>> http://www.interchange.rtfm.info/icdocs/config/WideOpen.html
>> http://www.interchange.rtfm.info/icdocs/config/TrustProxy.html
> 
> Thank you for testing Gert.  I don't use any of those directives.

Read up on the directives at the links above.  One of them may help in
your situation but understand the security implications of using them.

This is not really a bug in Interchange so much as a security feature
that can have certain unintended consequences in the event that an IP
address changes during the browser session.  It's sort of a trade-off in
that the extra security is deemed worth it for the few instances where
this will cause a problem.


Peter




More information about the interchange-users mailing list