NYCPHP Meetup

[nycphp-talk] Debugging Remote Problem - Solved

Mitch Pirtle mitch.pirtle at gmail.com
Wed Feb 22 11:37:13 EST 2006


Aha, I was right! We switched away from IP reliance in the upcoming
1.0.8 release, as well as the newer 1.1 development release, see Rey's
comments below about the 1.0.x series:

++++++++++++++++++++++++++++++++++++++++++++++++++++++
It is addressed in 1.0.8, suggest you tell them to read my blog here:
http://dev.joomla.org/component/option,com_jd-wp/Itemid,33/p,28/

Basically they will have an option to use session id generated from
only first 3 values of IP address instead of full IP, which should
alleviate such problems.  However full IP address (which is more
secure) is the default behaviour.

Note this makes session ids slightly less secure (not checking against
full IP), However the addition of mosConfig_secret and user agent info
will make the generated session id more secure than 1.0.7 and below.
++++++++++++++++++++++++++++++++++++++++++++++++++++++

Cross-posting as it is relevant info for the Joomla SIG.

-- Mitch

On 2/22/06, Mitch Pirtle <mitch.pirtle at gmail.com> wrote:
> On 2/22/06, Hans Kaspersetz <lamolist at cyberxdesigns.com> wrote:
> > The problem came down to Joomla and Mambo using the user's IP address
> > authenticate users.  When users come from a proxy farm their IP address
> > changes mid session and they loose the data that connects them to the
> > stored session data and the user is logged out.
>
> Forwarded to the Joomla core devs, and I will be following up on this one...
>
> --
> Mitch Pirtle, thinking they had switched to cookies, maybe for 1.1
> Joomla! Core Developer
> Open Source Matters
>


--
--
Mitch Pirtle
Joomla! Core Developer
Open Source Matters



More information about the talk mailing list