Item1316: Disable IP Matching by default to avoid problems for people moving between LAN and WLAN or using load share gateways
(tm)wiki and Foswiki 1.0.0 has always been shipping with IP matching enabled for sessions.
This means that Foswiki checks that the IP address used when the user re-uses an existing session must match the original IP address.
The idea has been to make it more difficult to steal a session cookie.
However, as time has passed this is creating a problem
- Proxy gateways used by large corporations are now getting some load sharing feature so that people inside a firewall accessing a site outside may appear to change IP address as the gateway chooses to route the traffic through multiple connections to the Internet. Each time the IP address changes the user of a Foswiki will experience problems having to re-authenticate. And if the server runs a buggy CGI::Session version the user even has to close the browser to authenticate again to flush the session cookie completely in the browser Item1306
- Inside the Intranet people now have laptops and they use LAN in the docking station and WLAN when they unduck and move around. Each time they change IP address. If they gave a browser open and have accessed the company Foswiki, they get into trouble when they try again. People can easily change IP address many times during a working day.
- People work as they are on the road using 3G modems. Also here the connections gets lost. And when reconnecting maybe seconds later the IP address has normally changed also causing trouble for people.
So all in all it has become a pain to have IP matching turned on.
On the security side we do not lose much
- The IP address itself is not a safe measure. On an Intranet it is easy to snatch someone IP address after he has left the building and turned off his computer or undocked it.
- When people access websites through a proxy / gateway from an Intranet to the Internet they appear to have the same IP address when they access through the same gateway. People that want to snatch someone else's session will very likely be from the same company and then the IP matching gives nearly nothing.
Looking at the minimal security improvement VS the problems it creates, Foswiki will from 1.0.4 be shipping with IP matching disabled.
- 18 Mar 2009