sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Meschberger <>
Subject Re: [jira] Commented: (SLING-1116) FORM Based Authentication
Date Mon, 01 Feb 2010 10:36:58 GMT

On 01.02.2010 11:04, Peter Chiochetti wrote:
> On Mon, Feb 01, 2010 at 08:39:51AM +0000, Marcel Reutegger (JIRA) wrote:
>> Marcel Reutegger commented on SLING-1116:
>> -----------------------------------------
>>> HttpServletRequest.getRemoteAddress()
>> this method returns the address of the client or the last proxy that sent the request.
if there is indeed a proxy in between, then this may hide that a request is possibly sent
from a different client.
> I have seen checkboxes on login forms, with a wording like:
> "limit session to this computer" or so.
> I think this binds a session to an IP-address after signup,
> the reason being, to prevent stolen cookies from working.

True, provided the client is not passing any proxies.

If the request passes any proxies (be it HTTP proxies like Squid or just
some transparent IP Masquerading router) the server has absolutely no
clue about the actual client IP. In fact, in such situations the IP
address is generally useless anyways, because it happens to be a private
use space IP address (10.x.x.x, 172.[16-31].x.x, 192.168.x.x).


View raw message