Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

Re: Re: Web based password management (or how *not* to blame tye)

by mattriff (Chaplain)
on Mar 24, 2002 at 21:24 UTC ( #153940=note: print w/replies, xml ) Need Help??


in reply to Re: Web based password management (or how *not* to blame tye)
in thread Web based password management (or how *not* to blame tye)

In my experience, yes you do. :)

I worked on a web application that started by comparing whole IP addresses on each access, and we started to have quite a few reports of people behind proxy pools having a problem.

Backing up a bit and only checking to see if the IP is in the same /16 or /24 (checking the first two or three numbers, that is) helps, although it doesn't eliminate the problem entirely (and it really weakens the effectiveness of the test).

Checking IPs can be useful in some situations, but for large-scale applications where the "general public" will be connecting to your interface, I wouldn't recommend it.

- Matt Riffle

  • Comment on Re: Re: Web based password management (or how *not* to blame tye)

Replies are listed 'Best First'.
Re: Re: Re: Web based password management (or how *not* to blame tye)
by maverick (Curate) on Mar 25, 2002 at 15:49 UTC
    I worked on a web application that started by comparing whole IP addresses on each access, and we started to have quite a few reports of people behind proxy pools having a problem

    Really? I figured this sort of thing would be a very fringe condition. I figured that most people weren't behind proxies at all, and that of the proxied people, most only had one. Then of those that had multiples, the auto-proxy configuration script would pick one of the pool at random, or round robin. The concept of sending different requests from the same browser through different proxies seems counter productive to efficient caching...

    /\/\averick
    perl -l -e "eval pack('h*','072796e6470272f2c5f2c5166756279636b672');"

      I've been doing something similar (though I included the web browser and several other things sent by the browser) and found out that ALL users of AOL browser have this problem. A friend tried to connect using the AOL browser and was kicked out by the very first page, so he used the normal MSIE (via the same modem connection!) and everything was fine.
      == Jenda@Krynicky.cz == http://Jenda.Krynicky.cz ==
      Always code as if the guy who ends up maintaining your code
      will be a violent psychopath who knows where you live.
            -- Rick Osborne, osborne@gateway.grumman.com

      The issue isn't always caching, though ... I've run into this problem more than once by now. For example, my previous school got 3 dsl and 3 distinct isdn lines. Each of those end up in one computer, which creates ppp connections on each of the lines. HTTP (and a few other TCP protocols) is now load balanced transparently -- there are no automatic proxy selectors. The clients get one IP address to use as a proxy. This proxy sends out distinct requests over the connections in weighted round-robin fashion.

      Since the school only has about 40 clients, it makes sense (this way the lines are utilized about equally). I have seen similar setups elsewhere in schools or even on lanparties ...

      Scripts that check for the originating IP (as opposed to a session ID) are always a PITA with that -- and not really all that much more secure (IP spoofing is a concern, then), and if an attacker can easily hijack a session, one usually has different, bigger problems ;)

      Even if those setups were made for caching content (as opposed to just proxying), nobody is to say that the datastore for caching isn't the same for all the interfaces, at least when they're on the same computer, thus not being counterproductive to efficient caching ...

      You have just described AOL. If my memory serves me correctly, I have seen sub-second IP address changes in my web server logs; 1 user, 1 burst of 3 image requests, 3 different IP addresses.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://153940]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (3)
As of 2019-08-25 02:34 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?