Problem with client ip address changing
janusz.ulanowski at heanet.ie
Thu Nov 22 09:56:17 EST 2012
I can confirm we discovered the same problem in version 2.3.3
but it's disappeared after upgrade to 2.3.8
HEAnet Limited, Ireland's Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin 1
Registered in Ireland, no 275301
tel: +353-1-660 9040 fax: +353-1-660 3666
HEAnet National Conference 2012
On 22/11/12 12:11, Viitanen Viljo wrote:
> Rod Widdowson on 14th November:
>> I'm also slightly worried by this comment:
>>> I can't get the error show in the log
>>> when change my ip address manually.
>> If you can reproduce this I'd love to see a JIRA case entered.
> Sorry for the late follow-up.
> When I just change the ip after login, I get the error, and both sp and idp (correctly) reject the cookie, like this:
> - login to sp normally
> - change ip
> - sp invalidates login, redirects to idp
> - idp invalidates session, shows the cookie error in log
> Previously I tried to change the ip during the login (which I thought the problem was with my users was). The flow was like this:
> - try to access sp without session
> - idp displays login page
> - change ip
> - username+password to idp (we're using idp internal auth)
> - redirect to sp
> But to get the problem to show up, you need to change the ip in some other way - with a proxy that changes outgoing address on each http request or something. And I'm not sure if it's reliable even then, maybe there's a race condition that happens only by chance.
> So I can't reproduce at all the problem I was worried about: the situation where the user was sent to the sp with no attributes.
> That only shows in our production logs - and I've so far only confirmed one case where the user reported problem with login to a certain sp (google), and when we requested her to test a login to an sp of ours, the application reported a problem with receiving a "null username" with timestamp, and I can see that there had been a login at the idp and a login at the sp at the same time, and some cookie-ip errors few seconds before that in the idp server log, and the errors match the ip addresses the login was made with. The sp log shows that there was " NameIdentifier: none" and no eppn sent when normally nameidentifier is as it should be, _<long hex digit string>, and the eppn is there.
> I've also deciced it's not worth making this into a jira issue - it's rare enough, and I was mistaken to think that any ip address change during the login results with this "login without attributes" behavior.
> Viljo Viitanen
> University of Jyväskylä
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3758 bytes
Desc: S/MIME Cryptographic Signature
Url : http://shibboleth.net/pipermail/users/attachments/20121122/280429af/attachment.bin
More information about the users