WebApp Sec mailing list archives

RE: HTTP Authentication & Source IP Address

From: "Matt Petteys" <mpetteys () securestate net>
Date: Sat, 30 Nov 2002 11:37:59 -0500


HTTP requests from multiple individuals can come from a single ip address
when being routed through a firewall or proxy..

And HTTP requests from one individual can come from different ip addresses
when connecting through a proxy network such as AOL's.

http://webmaster.info.aol.com/proxyinfo.html

If your application is targeted for a wide audience of users then make sure
you don't assume too much about the relationship between the originating IP
address and the individual's session.

-----Original Message-----
From: James Wilkinson [mailto:james.wilkinson () jwit co uk]
Sent: Saturday, November 30, 2002 8:14 AM
To: Security Focus Forum
Subject: Re: HTTP Authentication & Source IP Address

Hi,

In the recent discussion on HTTP Authentification, it was said
(by Bob Lee)
that you can't tie the origin of the the request (the IP address) to the
session for reasons that have been discussed here time and time again.

For a recent joiner of this forum, where can I find this discussion, or
could someone please re-iterate the reasons (yet again).

Thanks.

J.
James Wilkinson
James Wilkinson IT Ltd.
email: james.wilkinson () jwit co uk
Tel: 023 80456076
Mob: 07748 992874

Current thread:

Re: HTTP Authentication & Source IP Address James Wilkinson (Nov 30)
- Re: HTTP Authentication & Source IP Address Dorian Moore (Nov 30)
- RE: HTTP Authentication & Source IP Address Matt Petteys (Nov 30)
  - Dead Thread - HTTP Authentication & Source IP Address Mark Curphey (Nov 30)
- Re: HTTP Authentication & Source IP Address Jeff Dafoe (Nov 30)