According to Tim Nowaczyk: > > My company implemented this but went one more step. They created a > file that had (IP, ticket) pairs. The ticket was passed around in > URLs, but wasn't valid unless it came from the specific IP. To > pretend to be someone else, one would have to spoof their IP and > guess the value of their (10 hour life-cycle) ticket. We did this, > originally, because we wanted to support web browsers that didn't > use cookies. The file was, actually, more like (IP, ticket, > cookie-type-options-and-settings). It worked well for us. > You are lucky. There are two cases which will invalidate this solution: 1) A bunch of users are behind a single web proxy (such as squid) so they all appear to come from the same IP address. This means you will have multiple tickets for the same IP. 2) A bunch of users are behind a multi-parented web proxy, in which case the users will appear to come from one of a number of addresses. This leads to bizarre behaviour - the user authenticates successfully but gets kicked off later because the ticket/IP pair don't match because a different parent to the one the user authenticated on happened to handle the request. -- =============================================================================== Brett Lymn, Computer Systems Administrator, BAE SYSTEMS ===============================================================================
This archive was generated by hypermail 2b30 : Mon Jun 18 2001 - 23:13:12 PDT