Problem with client ip address changing
Cantor, Scott
cantor.2 at osu.edu
Wed Nov 14 10:59:04 EST 2012
On 11/14/12 10:34 AM, "Viitanen Viljo" <viljo.v.viitanen at jyu.fi> wrote:
>Scott wrote:
>
>>Attaching whatever you have will be a start. I want to see if it lines
>>up with
>>something I've been looking into. If not, then I doubt I can do much
>>about it,
>>but I want to at least track the issue.
>
>I'll email you what I have off-list.
Please just file a bug. You can limit access to attachments if you need to.
>I agree you lose security, but not much, I'd say it's only theoretical.
>What's the case where the attacker is able to steal encrypted http
>headers (clientside malware, SSL MITM?), use them real-time, but not
>being able to impersonate the victim's ip address?
That's how XSS attacks work. It's not theoretical at all. There are also
SSL attacks that allow cookie recovery in some cases. There are logs and
proxies that expose cookies.
>About disabling the check, I found this:
>https://wiki.shibboleth.net/confluence/display/SHIB2/IdPProxyClustering#Id
>PProxyClustering-Inhibittheconsistentaddresscheck
>but I must say I'm not convinced I want to use it, I don't know how it
>affects the checking: At the function isCookieValid
>(http://svn.shibboleth.net/view/java-shib-idp2/tags/2.3.8/src/main/java/ed
>u/internet2/middleware/shibboleth/idp/session/IdPSessionFilter.java?revisi
>on=3115&view=markup#l177) there are two checks, first the ip address and
>a "shared secret" verification on the cookie digest. For sure I do not
>want both checks disabled.
Looking at the code, it's fairly obvious it doesn't do that.
>Anyway e.g. paypal doesn't seem to care that the client ip address
>changes on the fly.
Then change the setting if that's what you prefer.
-- Scott
More information about the users
mailing list