Hi Christopher, Thanks for reminding me of my extra doubt that I missed writing of in the first post:
Picking up on AOL: If I'm on proxy1 now, with many other users - will I stay on that proxy for a long time? Or will I be loadbalanced to many other proxies during my visit on the site? There's nothing that enforces me to come from the same IP every time. It's still common that home routers might get new addresses at least every 24h, and many mobile providers don't give out public IP addresses - I'm not sure if I keep my IP-address if I'm roaming to another network cell. Conclusion: Protection by IP-address-fixation calls for random problems that are hard to reproduce. Olaf Am 12.01.2016 um 16:51 schrieb Christopher Schultz: > Olaf, > > On 1/11/16 4:12 PM, Olaf Kock wrote: >> Well, at least you do a bit of protection instead of just disabling the >> session fixation security filter. However, be aware that potentially >> many people might come from the same IP address - either because it's a >> NATing home router or a big company's proxy server. Especially if you >> want to attack someone who's in the same network as yourself, this >> IP-based protection is quite useless. > The primary example of this not working is America Online (which really > does still exist). I haven't checked recently, but for quite a long > time, they would proxy everybody through a small set of servers -- > millions of users all appearing to have the same IP address. > > Restricting a login to a single IP address (e.g. like Bugzilla can do)? > That does actually make some sense since it doesn't harm anyone and > merely fails to add protection to AOL users and others users in a > similar situation. > > But making IP address ~= session id? That will never work properly. > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
