Ticket Navigation

Ticket #30 (defect)

Opened 2 years ago

Last modified 1 year ago

Cookie middlware broken when used behind a proxy server

Status: reopened

Reported by:	anonymous	Assigned to:	somebody
Priority:	critical	Milestone:
Component:	component1	Version:
Keywords:		Cc:

At line 269 in call, authkit.authneticate.cookie

remote_addr = environ.get('HTTP_X_FORWARDED_FOR',

environ.get('REMOTE_ADDR','0.0.0.0'))

Which i believe is correct, but in set_user_cookie (line: ~391) :

if self.include_ip:

remote_addr = environ['REMOTE_ADDR']

This is only an issue if (like me), the user has turned on authkit.cookie.includeip.

Attachments

Change History

08/09/07 16:44:38: Modified by anonymous

status changed from new to closed.
resolution set to fixed.

Looks like this is fixed in r99

05/22/08 12:36:06: Modified by dp@mcrservice.it

status changed from closed to reopened.
resolution deleted.

The X-Forwarded-For HTTP header may contain multiple comma separated ip addresses (ref. http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-3518b69c63e221cc3cd7885415e365ffaf3dd27f) and this is not taken into account in authorization.cookie: when the wsgi environ variable HTTP_X_FORWARDED_FOR happens to be in the form '128.138.243.150, 192.52.106.30' encode_ip_timestamp fails at line 223 with:

ValueError?: invalid literal for int() with base 10: '150, 192'

07/24/08 09:38:55: Modified by anonymous

I can confirm the response from dp@mcrservice.it - I'm running into the same error.

However, the file/module in question is authkit.authenticate.cookie at line 223 (compared to dp@mcrservice.it's authorization.cookie at line 223).

09/30/08 13:44:33: Modified by anonymous

I have a similar error:

File '/home/memoadmin/envs/memo/lib/python2.5/site-packages/AuthKit-0.4.1dev_r156-py2.5.egg/authkit/authenticate/cookie.py', line 245 in encode_ip_timestamp
  ip_chars r ''.join(map(chr, map(int, ip.split('.'))))
ValueError: invalid literal for int() with base 10: 'unknown'

HTTP_X_FORWARDED_FOR: 'unknown, 79.188.0.130'

It seems that it is valid to have 'unknown' in HTTP_X_FORWARDED_FOR.

http://www.thepcspy.com/read/getting_the_real_ip_of_your_users

Add/Change #30 (Cookie middlware broken when used behind a proxy server)

Your email or username:

Comment (you may use WikiFormatting here):

Change Properties

Summary:
Type:
Priority:		Milestone:
Component:		Version:
Keywords:		Cc:

Action leave as reopened
resolve as:
reassign to: