On Don, 19 Sep 2002, Daniel Naber wrote:

> > But I feel unsafe in changing that. Could someone explain?
> http://bugzilla.mozilla.org/show_bug.cgi?id=20122
> So long actually that I didn't read it :-)

Read it. Basically its just a security measure against a cookie stealing 
attack. 

However, all of them are sick of this restriction. There are 3 suggestions, 
none of them currently implemented: 

a) make it check a "netmask" only. i.e. check the first 16 bits of the IP
   if they still match

b) add a "loosely login" checkbox that makes it ignore the IP check

c) make it use the HTTP_X_FORWARDED_FOR HTTP Header, which would fix the
   problem of a changing IP behind rotating Proxy servers. 

   Problem is here that often this header isn't there for privacy reasons
   or it contains a private IP address in case of NAT (Simon's case). 

   -> useless. 


IMHO reducing it to a class C netmask check would be the best thing to do. 
it is very unlikely that rotating proxy servers aren't in the same subnet 
for arp-proxying reasons. 

There is a patch for this case attached to the bugreport but it doesn't seem 
to be optimal. at least not clean enough for committing it. 


-- 
Dirk (received 65 mails today)