Problem with client ip address changing
Viitanen Viljo
viljo.v.viitanen at jyu.fi
Wed Nov 14 10:34:53 EST 2012
Scott wrote:
>Attaching whatever you have will be a start. I want to see if it lines up with
>something I've been looking into. If not, then I doubt I can do much about it,
>but I want to at least track the issue.
I'll email you what I have off-list.
>>I think in the modern world requiring client ip address not to change
>>is broken behavior.
>
>I completely disagree, but if you want to disable the check, I believe you can. I
>think you lose any real security doing so, but that's your call to make.
I agree you lose security, but not much, I'd say it's only theoretical. What's the case where the attacker is able to steal encrypted http headers (clientside malware, SSL MITM?), use them real-time, but not being able to impersonate the victim's ip address?
About disabling the check, I found this:
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPProxyClustering#IdPProxyClustering-Inhibittheconsistentaddresscheck
but I must say I'm not convinced I want to use it, I don't know how it affects the checking: At the function isCookieValid (http://svn.shibboleth.net/view/java-shib-idp2/tags/2.3.8/src/main/java/edu/internet2/middleware/shibboleth/idp/session/IdPSessionFilter.java?revision=3115&view=markup#l177) there are two checks, first the ip address and a "shared secret" verification on the cookie digest. For sure I do not want both checks disabled.
Anyway e.g. paypal doesn't seem to care that the client ip address changes on the fly.
Viljo Viitanen
More information about the users
mailing list