WebApp Sec mailing list archives
Re: HTTP Authentication & Source IP Address
From: Dorian Moore <lists () dorianmoore com>
Date: Sat, 30 Nov 2002 15:55:50 +0000
Hiya, The main reason is that your user might be behind some form of proxy. subsequent requests from people on [for instance] AOL may come from different IP address's due to the distribution of their proxy service. This would mean that your GET request for the main page could come from one IP address, then for subsequent components [be it parts of that page, or other pages] could come from a different IP address, thus invalidating your session ID. There are other reasons, but that's a good enough one. _d._ on 30/11/02 1:13 pm the person going by the name James Wilkinson at james.wilkinson () jwit co uk spake :
Hi, In the recent discussion on HTTP Authentification, it was said (by Bob Lee) that you can't tie the origin of the the request (the IP address) to the session for reasons that have been discussed here time and time again. For a recent joiner of this forum, where can I find this discussion, or could someone please re-iterate the reasons (yet again). Thanks. J. James Wilkinson James Wilkinson IT Ltd. email: james.wilkinson () jwit co uk Tel: 023 80456076 Mob: 07748 992874
Current thread:
- Re: HTTP Authentication & Source IP Address James Wilkinson (Nov 30)
- Re: HTTP Authentication & Source IP Address Dorian Moore (Nov 30)
- RE: HTTP Authentication & Source IP Address Matt Petteys (Nov 30)
- Dead Thread - HTTP Authentication & Source IP Address Mark Curphey (Nov 30)
- Re: HTTP Authentication & Source IP Address Jeff Dafoe (Nov 30)