Hi,
today I used my test installation of DSpace for the first time from home where
I have IPv4 and IPv6 in a dual stack setup. My server has an IPv4 and IPv6
connection as well, but in my office I currently have IPv4 only. So today I was
using DSPACE JSPUI (master branch from early may 2014) in a IPv4/IPv6 dual
stack setup for the first time.
While using DSpace I was asked to login every two minutes. As this was quite
annoying I looked in to dspace.log and found the following line:
2014-06-08 14:01:13,201 WARN org.dspace.app.webui.util.UIUtil @ POSSIBLE
HIJACKED SESSION: request from 2001:6f8:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX does not
match original session address: 85.XXX.XXX.XXX. Authentication rejected.
I think the problem is obvious: My mac is alternating using IPv4 and IPv6 to
connect to my DSpace installation. DSpace detects this as a possible session
hijacking attack and invalidates my session.
Has anyone had the same problem (already)? Has anyone an idea how to solve this
problem? And please don't suggest me to use either IPv4 or IPv6. ;-)
Regards,
Pascal
P.S. A solution could be to save a IPv4 and a IPv6 address to prevent session
hijacking while supporting IPv4/6 double stack setups. But even then we could
run into problems with IPv6 privacy extensions...
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
