Problem with client ip address changing

Cantor, Scott cantor.2 at
Wed Nov 14 10:59:04 EST 2012

On 11/14/12 10:34 AM, "Viitanen Viljo" <viljo.v.viitanen at> wrote:

>Scott wrote:
>>Attaching whatever you have will be a start. I want to see if it lines
>>up with
>>something I've been looking into. If not, then I doubt I can do much
>>about it,
>>but I want to at least track the issue.
>I'll email you what I have off-list.

Please just file a bug. You can limit access to attachments if you need to.

>I agree you lose security, but not much, I'd say it's only theoretical.
>What's the case where the attacker is able to steal encrypted http
>headers (clientside malware, SSL MITM?), use them real-time, but not
>being able to impersonate the victim's ip address?

That's how XSS attacks work. It's not theoretical at all. There are also
SSL attacks that allow cookie recovery in some cases. There are logs and
proxies that expose cookies.

>About disabling the check,  I found this:
>but I must say I'm not convinced I want to use it, I don't know how it
>affects the checking: At the function isCookieValid
>on=3115&view=markup#l177) there are two checks, first the ip address and
>a "shared secret" verification on the cookie digest. For sure I do not
>want both checks disabled.

Looking at the code, it's fairly obvious it doesn't do that.

>Anyway e.g. paypal doesn't seem to care that the client ip address
>changes on the fly.

Then change the setting if that's what you prefer.

-- Scott

More information about the users mailing list