[horde] strange forced logout
Andreas Schulze
sca at andreasschulze.de
Fri Jul 12 11:26:12 UTC 2013
Zitat von Jan Schneider <jan at horde.org>:
>> I guess it was the checkip option, but I didn't see any message
>> about bad ip addresses in the debug log.
>
> I'm not sure you would see it in the logs, but I definitely get a
> logout message about a changed IP if this is what happens.
Hello,
the "checkip option" verify if an authenticated session changes to an
other source ip address.
That mean usualy the session was hijacked.
But there is a second case:
imagine users using a proxy.
imagine *really many* users using a proxy: the proxy will be a farm of
proxies.
The user no longer talk to a dedicated proxy but to a loadbalancer.
In this case it *may* happen the loadbalancer switch users from one
proxy to an other.
Horde see a changed ip and discard the session - bad.
I personaly do use horde via a proxy farm an did not dad the problem.
Ususaly the loadbalancer handle persistence well...
The current implementation in ~pear/Horde/Registry.php require an exact match.
I suggest an enhancement to allow little changes (same subnet for example)
Could be a netmask specified by the admin to be a "tolerated" ip change.
In case of ipv6 this could be a /64. But thats a policy decision to be made by
the horde administrator.
Andreas
More information about the horde
mailing list