Hello Paul,
The IP is indeed used to create the validation cookie. But in order to
fix issues with proxies the IP is "guessed" thanks to the "X-Forwarded-For"
header of the request.
But I can't tell since which version it is done this way :). So what
version of XWiki were you using when you got these issues ?
Thomas
On Wed, Mar 6, 2013 at 9:02 PM, Paul Libbrecht <[email protected]> wrote:
>
> Hello fellow developers,
>
> So as to preserve security of our users, we do one small thing: the
> user-name and password (and registration info) is submitted over https. All
> other communication is done over http.
>
> This works well for someone connected normally to the internet.
> This works incorrectly for someone who is forced to use a proxy by its
> network conditions, e.g. hotels, wifi hotspots and mobile devices' provided
> networks.
> The reason it is the case, it the following
>
> MyPersistentLoginManager.checkValidation checks a "validation" cookie
> which computes a salted hash of the triple username, password, and IP. And
> in the cases above, the IPs are different, so the validation fails, the
> login is unsuccessful, the console says:
> > Login cookie validation hash mismatch! Cookies have been tampered with
>
> What our options?
>
> Is it true that removing IP in this validation would make the system weak
> as anyone stealing the cookie from another IP could become that user?
>
> Would it be as simple as finding the right header "chain end" and replace
> it?
> It seems that it would be possible.
>
> paul
> _______________________________________________
> devs mailing list
> [email protected]
> http://lists.xwiki.org/mailman/listinfo/devs
>
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs
