[Zope-dev] Re: CoreSessionTracking proposal

KevinL darius@bofh.net.au
Tue, 03 Oct 2000 16:19:38 +1100


Please, please, please, do _not_ use IP numbers to verify it's the same 
connection.  You guys don't have the problem in .us, but out here at the 
fringes (.au, and presumably .uk and similar), proxy server use is rampant - 
and leaning on IP breaks, because proxy's share the connection around.

Example:  Connect.com.au (backbone provider) have three proxy servers in 
melbourne, two in Sydney.  Their customers have their own proxies.  
An end user hits the customer's proxy, which requests via ICP from _all_ of 
CCA's proxies in their region - the fastest proxy at the time responds first.
Fastest can, and does, change very quickly when those boxes are close to the 
same load - a single session often chops between multiple IP's.
Then the customer's proxy is also leaning on telstra's proxy's, in a 
completely different netblock, and sometimes they decide upstream response is 
too slow and they'll go direct.

People leaning on the source IP for verification just means you get more 
complaints from .au people unable to use your site.  I wouldn't even offer it 
unless you made some passing attempt to get the browser's own IP (use 
the proxy header, can't remember which one, that reports browser IP), even 
then I'd be cautious as that's a voluntary header.

KevinL
(that one's a bugbear of mine ;)

>>> gotcha@swing.be wrote
> --- In zope@egroups.com, Chris McDonough <chrism@d...> wrote:
> > I suppose I could implement something like this (encode the IP 
> address
> > into the token) and provide a knob to turn it on and off on 
> the id
> > manager.  I'm not going to do this for the first iteration, I 
> need to
> > get it working first.  :-)
[snip]
> In fact, if I remember well the server remembers the IP address 
> (instead of crunching it into the id) and check the 
> correspondence between the session id and the IP address when 
> answering request.
>
> I was told that some ISP change your IP address during a 
> connection but never took the time to check if it is true.
[snip]