[MUD-Dev] Re: strong encryption for authentication
darius at bofh.net.au
Thu Jul 12 14:13:44 New Zealand Standard Time 2001
"Brian Price" wrote
> The secure webserver, on successful login, will return an
> encrypted (using blowfish algorithm) 'cookie' that the client then
> sends to the specified gateway server. The cookies are unique and
> contain certain verification information such as character id,
> client ip address, and a timestamp. Since we use an untrusted
> client model,
How are you getting the client IP?
Proxy servers and IP-based stuff like this tend to not mix well -
mainly because people make a couple of not-necessarily-valid
1) the IP number making the request is the IP number of the
browser. Obviously false in the case of proxied comms, and some
people don't get the option to switch proxies off - transparent
proxying is common down here where bandwidth is expensive.
2) the IP number making the request will remain the same through
the life of the "session" - this gets nifty. My request is
handled by a proxy that has multiple upstream proxies it can pass
a request off to. Often, mid-stream, it'll change parent proxy,
because one or the other is loaded down. So if you've issued a
cookie to 192.168.54.1, you'll find a request with that cookie
coming from 192.168.54.9, but it's still the same session and is a
legitimate request from the same browser - just passed through
Sorry to rant about something that's likely not even a problem for
your specific setup, but I've had to complain to various off-shore
sites about this stuff far too often - you risk making life really
difficult for entire countries, like .au or half of europe, simply
because they do their best to reduce bandwidth use.
Um. It's _possible_ that even port 443 traffic is being
transparently proxied - you'll see that for cable modem users who
are given non-routable addresses and NAT'ed out to the rest of the
world, for instance - so you might want to keep it in mind even if
you're not using a browser as such.
Internet techie Obsidian Consulting Group
Specialising in proxy servers and traffic measuring/billing.
http://www.obsidian.com.au/ darius at obsidian.com.au
MUD-Dev mailing list
MUD-Dev at kanga.nu
More information about the MUD-Dev