Re: [Dspace-tech] IPv4/6 double stack setup and session hijacking prevention
Maybe, but the downside is that DSpace cannot be used in a IPv4/IPv6 dual stack setup currently. And those will become more and more common... -Original Message- From: Alan Orth [mailto:alan.o...@gmail.com] Sent: Wednesday, July 02, 2014 9:49 PM To: Becker, Pascal-Nicolas; dspace-tech@lists.sourceforge.net Subject: Re: [Dspace-tech] IPv4/6 double stack setup and session hijacking prevention Well, if this *was* a session hijacking attempt... wouldn't it look exactly like this? ie, DSpace would be actually protecting you. :) Alan On 06/08/2014 03:34 PM, Becker, Pascal-Nicolas wrote: Hi, today I used my test installation of DSpace for the first time from home where I have IPv4 and IPv6 in a dual stack setup. My server has an IPv4 and IPv6 connection as well, but in my office I currently have IPv4 only. So today I was using DSPACE JSPUI (master branch from early may 2014) in a IPv4/IPv6 dual stack setup for the first time. While using DSpace I was asked to login every two minutes. As this was quite annoying I looked in to dspace.log and found the following line: 2014-06-08 14:01:13,201 WARN org.dspace.app.webui.util.UIUtil @ POSSIBLE HIJACKED SESSION: request from 2001:6f8:::::: does not match original session address: 85.XXX.XXX.XXX. Authentication rejected. I think the problem is obvious: My mac is alternating using IPv4 and IPv6 to connect to my DSpace installation. DSpace detects this as a possible session hijacking attack and invalidates my session. Has anyone had the same problem (already)? Has anyone an idea how to solve this problem? And please don't suggest me to use either IPv4 or IPv6. ;-) Regards, Pascal P.S. A solution could be to save a IPv4 and a IPv6 address to prevent session hijacking while supporting IPv4/6 double stack setups. But even then we could run into problems with IPv6 privacy extensions... -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette -- Alan Orth alan.o...@gmail.com http://alaninkenya.org http://mjanja.co.ke I have always wished for my computer to be as easy to use as my telephone; my wish has come true because I can no longer figure out how to use my telephone. -Bjarne Stroustrup, inventor of C++ GPG public key ID: 0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0 -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] IPv4/6 double stack setup and session hijacking prevention
Well, if this *was* a session hijacking attempt... wouldn't it look exactly like this? ie, DSpace would be actually protecting you. :) Alan On 06/08/2014 03:34 PM, Becker, Pascal-Nicolas wrote: Hi, today I used my test installation of DSpace for the first time from home where I have IPv4 and IPv6 in a dual stack setup. My server has an IPv4 and IPv6 connection as well, but in my office I currently have IPv4 only. So today I was using DSPACE JSPUI (master branch from early may 2014) in a IPv4/IPv6 dual stack setup for the first time. While using DSpace I was asked to login every two minutes. As this was quite annoying I looked in to dspace.log and found the following line: 2014-06-08 14:01:13,201 WARN org.dspace.app.webui.util.UIUtil @ POSSIBLE HIJACKED SESSION: request from 2001:6f8:::::: does not match original session address: 85.XXX.XXX.XXX. Authentication rejected. I think the problem is obvious: My mac is alternating using IPv4 and IPv6 to connect to my DSpace installation. DSpace detects this as a possible session hijacking attack and invalidates my session. Has anyone had the same problem (already)? Has anyone an idea how to solve this problem? And please don't suggest me to use either IPv4 or IPv6. ;-) Regards, Pascal P.S. A solution could be to save a IPv4 and a IPv6 address to prevent session hijacking while supporting IPv4/6 double stack setups. But even then we could run into problems with IPv6 privacy extensions... -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette -- Alan Orth alan.o...@gmail.com http://alaninkenya.org http://mjanja.co.ke I have always wished for my computer to be as easy to use as my telephone; my wish has come true because I can no longer figure out how to use my telephone. -Bjarne Stroustrup, inventor of C++ GPG public key ID: 0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0 signature.asc Description: OpenPGP digital signature -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
[Dspace-tech] IPv4/6 double stack setup and session hijacking prevention
Hi, today I used my test installation of DSpace for the first time from home where I have IPv4 and IPv6 in a dual stack setup. My server has an IPv4 and IPv6 connection as well, but in my office I currently have IPv4 only. So today I was using DSPACE JSPUI (master branch from early may 2014) in a IPv4/IPv6 dual stack setup for the first time. While using DSpace I was asked to login every two minutes. As this was quite annoying I looked in to dspace.log and found the following line: 2014-06-08 14:01:13,201 WARN org.dspace.app.webui.util.UIUtil @ POSSIBLE HIJACKED SESSION: request from 2001:6f8:::::: does not match original session address: 85.XXX.XXX.XXX. Authentication rejected. I think the problem is obvious: My mac is alternating using IPv4 and IPv6 to connect to my DSpace installation. DSpace detects this as a possible session hijacking attack and invalidates my session. Has anyone had the same problem (already)? Has anyone an idea how to solve this problem? And please don't suggest me to use either IPv4 or IPv6. ;-) Regards, Pascal P.S. A solution could be to save a IPv4 and a IPv6 address to prevent session hijacking while supporting IPv4/6 double stack setups. But even then we could run into problems with IPv6 privacy extensions... -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
