Problem with client ip address changing

Viitanen Viljo viljo.v.viitanen at jyu.fi
Thu Nov 22 07:11:06 EST 2012 

Rod Widdowson on 14th November:

>I'm also slightly worried by this comment:
>
>> I can't get the error show in the log
>> when change my ip address manually.
>
>If you can reproduce this I'd love to see a JIRA case entered.

Sorry for the late follow-up.

When I just change the ip after login, I get the error, and both sp and idp (correctly) reject the cookie, like this:
- login to sp normally
- change ip
- sp invalidates login, redirects to idp 
- idp invalidates session, shows the cookie error in log

Previously I tried to change the ip during the login (which I thought the problem was with my users was). The flow was like this:
- try to access sp without session
- idp displays login page
- change ip
- username+password to idp (we're using idp internal auth)
- redirect to sp

But to get the problem to show up, you need to change the ip in some other way - with a proxy that changes outgoing address on each http request or something. And I'm not sure if it's reliable even then, maybe there's a race condition that happens only by chance.

So I can't reproduce at all the problem I was worried about: the situation where the user was sent to the sp with no attributes.

That only shows in our production logs - and I've so far only confirmed one case where the user reported problem with login to a certain sp (google), and when we requested her to test a login to an sp of ours, the application reported a problem with receiving a "null username" with timestamp, and I can see that there had been a login at the idp and a login at the sp at the same time, and some cookie-ip errors few seconds before that in the idp server log, and the errors match the ip addresses the login was made with. The sp log shows that there was " NameIdentifier: none" and no eppn sent when normally nameidentifier is as it should be, _<long hex digit string>, and the eppn is there.

I've also deciced it's not worth making this into a jira issue - it's rare enough, and I was mistaken to think that any ip address change during the login results with this "login without attributes" behavior.

Viljo Viitanen
University of Jyväskylä

More information about the users mailing list