You are here: Foswiki>Tasks Web>Item1316 (19 Mar 2009, KennethLavrsen)Edit Attach

Item1316: Disable IP Matching by default to avoid problems for people moving between LAN and WLAN or using load share gateways

pencil
Priority: Normal
Current State: Closed
Released In: 1.0.4
Target Release: patch
Applies To: Engine
Component:
Branches:
Reported By: KennethLavrsen
Waiting For:
Last Change By: KennethLavrsen
(tm)wiki and Foswiki 1.0.0 has always been shipping with IP matching enabled for sessions.

This means that Foswiki checks that the IP address used when the user re-uses an existing session must match the original IP address.

The idea has been to make it more difficult to steal a session cookie.

However, as time has passed this is creating a problem

  • Proxy gateways used by large corporations are now getting some load sharing feature so that people inside a firewall accessing a site outside may appear to change IP address as the gateway chooses to route the traffic through multiple connections to the Internet. Each time the IP address changes the user of a Foswiki will experience problems having to re-authenticate. And if the server runs a buggy CGI::Session version the user even has to close the browser to authenticate again to flush the session cookie completely in the browser Item1306
  • Inside the Intranet people now have laptops and they use LAN in the docking station and WLAN when they unduck and move around. Each time they change IP address. If they gave a browser open and have accessed the company Foswiki, they get into trouble when they try again. People can easily change IP address many times during a working day.
  • People work as they are on the road using 3G modems. Also here the connections gets lost. And when reconnecting maybe seconds later the IP address has normally changed also causing trouble for people.

So all in all it has become a pain to have IP matching turned on.

On the security side we do not lose much

  • The IP address itself is not a safe measure. On an Intranet it is easy to snatch someone IP address after he has left the building and turned off his computer or undocked it.
  • When people access websites through a proxy / gateway from an Intranet to the Internet they appear to have the same IP address when they access through the same gateway. People that want to snatch someone else's session will very likely be from the same company and then the IP matching gives nearly nothing.

Looking at the minimal security improvement VS the problems it creates, Foswiki will from 1.0.4 be shipping with IP matching disabled.

-- KennethLavrsen - 18 Mar 2009

ItemTemplate edit

Summary Disable IP Matching by default to avoid problems for people moving between LAN and WLAN or using load share gateways
ReportedBy KennethLavrsen
Codebase 1.0.0 beta3, trunk
SVN Range Foswiki-1.0.0, Thu, 08 Jan 2009, build 1878
AppliesTo Engine
Component
Priority Normal
CurrentState Closed
WaitingFor
Checkins distro:f970d8e54f3b distro:2d9935d8a4ef distro:e183aac20452 distro:531ac04865d1
TargetRelease patch
ReleasedIn 1.0.4
Edit  | Attach | Print version | History: r8 < r7 < r6 < r5 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r8 - 19 Mar 2009, KennethLavrsen
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy