WebApp Sec mailing list archives
Re: HTTP Authentication & Source IP Address
From: "Jeff Dafoe" <jeff () badtz-maru com>
Date: Sat, 30 Nov 2002 11:56:33 -0500
In the recent discussion on HTTP Authentification, it was said (by Bob
Lee)
that you can't tie the origin of the the request (the IP address) to the session for reasons that have been discussed here time and time again.
Because of proxies such as those in use by AOL. Take this log excerpt: 152.163.188.232 - - [30/Nov/2002:12:01:09 -0500] "GET /subcultural/index HTTP/1.1" 200 19861 152.163.188.228 - - [30/Nov/2002:12:01:09 -0500] "GET /image/subcultural/site/subcultural_on_dkgrey.gif HTTP/1.0" 200 2008 152.163.188.67 - - [30/Nov/2002:12:01:09 -0500] "GET /image/subcultural/site/front-mainpromo-1129.jpg HTTP/1.1" 304 - 152.163.188.2 - - [30/Nov/2002:12:01:11 -0500] "GET /image/subcultural/site/sidenav-dresses.gif HTTP/1.0" 200 249 All four of those requests originated from the same user, who was on AOL. Although all of the requests are from 152.163.188 in this instance, that frequently doesn't hold true. Jeff
Current thread:
- Re: HTTP Authentication & Source IP Address James Wilkinson (Nov 30)
- Re: HTTP Authentication & Source IP Address Dorian Moore (Nov 30)
- RE: HTTP Authentication & Source IP Address Matt Petteys (Nov 30)
- Dead Thread - HTTP Authentication & Source IP Address Mark Curphey (Nov 30)
- Re: HTTP Authentication & Source IP Address Jeff Dafoe (Nov 30)