Problem with client ip address changing

Thu Nov 22 09:56:17 EST 2012

Hi,
I can confirm we discovered the same problem in version 2.3.3
but it's disappeared after upgrade to 2.3.8
Regards,
Janusz Ulanowski
Edugate: http://www.edugate.ie
HEAnet Limited, Ireland's Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin 1
Registered in Ireland, no 275301

tel: +353-1-660 9040 fax: +353-1-660 3666
web: http://www.heanet.ie/

HEAnet National Conference 2012
http://www.heanet.ie/conferences/2012

On 22/11/12 12:11, Viitanen Viljo wrote:
> Rod Widdowson on 14th November:
>
>> I'm also slightly worried by this comment:
>>
>>> I can't get the error show in the log
>>> when change my ip address manually.
>>
>> If you can reproduce this I'd love to see a JIRA case entered.
>
> Sorry for the late follow-up.
>
> When I just change the ip after login, I get the error, and both sp and idp (correctly) reject the cookie, like this:
> - login to sp normally
> - change ip
> - sp invalidates login, redirects to idp
> - idp invalidates session, shows the cookie error in log
>
> Previously I tried to change the ip during the login (which I thought the problem was with my users was). The flow was like this:
> - try to access sp without session
> - idp displays login page
> - change ip
> - username+password to idp (we're using idp internal auth)
> - redirect to sp
>
> But to get the problem to show up, you need to change the ip in some other way - with a proxy that changes outgoing address on each http request or something. And I'm not sure if it's reliable even then, maybe there's a race condition that happens only by chance.
>
> So I can't reproduce at all the problem I was worried about: the situation where the user was sent to the sp with no attributes.
>
> That only shows in our production logs - and I've so far only confirmed one case where the user reported problem with login to a certain sp (google), and when we requested her to test a login to an sp of ours, the application reported a problem with receiving a "null username" with timestamp, and I can see that there had been a login at the idp and a login at the sp at the same time, and some cookie-ip errors few seconds before that in the idp server log, and the errors match the ip addresses the login was made with. The sp log shows that there was " NameIdentifier: none" and no eppn sent when normally nameidentifier is as it should be, _<long hex digit string>, and the eppn is there.
>
> I've also deciced it's not worth making this into a jira issue - it's rare enough, and I was mistaken to think that any ip address change during the login results with this "login without attributes" behavior.
>
> Viljo Viitanen
> University of Jyväskylä
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3758 bytes
Desc: S/MIME Cryptographic Signature
Url : http://shibboleth.net/pipermail/users/attachments/20121122/280429af/attachment.bin