[MUD-Dev] Re: strong encryption for authentication

Kevin Littlejohn darius at bofh.net.au
Thu Jul 12 14:13:44 New Zealand Standard Time 2001

"Brian Price" wrote

> The secure webserver, on successful login, will return an
> encrypted (using blowfish algorithm) 'cookie' that the client then
> sends to the specified gateway server.  The cookies are unique and
> contain certain verification information such as character id,
> client ip address, and a timestamp.  Since we use an untrusted
> client model,

How are you getting the client IP?

Proxy servers and IP-based stuff like this tend to not mix well -
mainly because people make a couple of not-necessarily-valid

  1) the IP number making the request is the IP number of the
  browser.  Obviously false in the case of proxied comms, and some
  people don't get the option to switch proxies off - transparent
  proxying is common down here where bandwidth is expensive.

  2) the IP number making the request will remain the same through
  the life of the "session" - this gets nifty.  My request is
  handled by a proxy that has multiple upstream proxies it can pass
  a request off to.  Often, mid-stream, it'll change parent proxy,
  because one or the other is loaded down.  So if you've issued a
  cookie to, you'll find a request with that cookie
  coming from, but it's still the same session and is a
  legitimate request from the same browser - just passed through
  different proxies.

Sorry to rant about something that's likely not even a problem for
your specific setup, but I've had to complain to various off-shore
sites about this stuff far too often - you risk making life really
difficult for entire countries, like .au or half of europe, simply
because they do their best to reduce bandwidth use.

Um.  It's _possible_ that even port 443 traffic is being
transparently proxied - you'll see that for cable modem users who
are given non-routable addresses and NAT'ed out to the rest of the
world, for instance - so you might want to keep it in mind even if
you're not using a browser as such.

Internet techie                    Obsidian Consulting Group
Specialising in proxy servers and traffic measuring/billing.
http://www.obsidian.com.au/           darius at obsidian.com.au

MUD-Dev mailing list
MUD-Dev at kanga.nu

More information about the MUD-Dev mailing list