Mailing List Archive: Request Tracker: Users

Coockie problems with proxies

Index | Next | Previous | View Threaded

karthy at kom

Apr 6, 2000, 2:08 PM

Post #1 of 7 (638 views)
Permalink

Coockie problems with proxies

Hi

I have just installed RT with our ~20 people large helpdesk at SunSITE
Denmark. It works just fine, and have handled more than 20 requests in
the first hour. Great.

We have discovered two problems:

* Our queue memebers get cookies to the web thingy based on their IP
adress, right? Now, some of our queue members goes through a bunch
of load-balancing proxies, so their IP adress changes constantly and
hence is denied access. Is there any easy solution to that problem?

* Our local characters (æøå - yes, I hate them too, but they are
widely used!) is often transfered as Quoted Printable, and it works
well _if_ the MIME-Version along with Content-Transfer-Encoding
headers was preserved, but RT seems to strip them when forwarding
email.

Is any work going on in this direction, or should I start digging
myself? I use rt-1.1-CVS

Otherwise, that for the really nice product!

Best regards,
Karsten

tobiasb at tobiasb

Apr 6, 2000, 2:29 PM

Post #2 of 7 (625 views)
Permalink

Re: Coockie problems with proxies [In reply to]

> We have discovered two problems:
>
> * Our queue memebers get cookies to the web thingy based on their IP
> adress, right? Now, some of our queue members goes through a bunch
> of load-balancing proxies, so their IP adress changes constantly and
> hence is denied access. Is there any easy solution to that problem?
>

The easy answer is to hack into a file like lib/rt/ui/web/auth.pm or
whatever it was and remove the IP from the cookie.

Jesse, have you thought more about better authentication
for WebRT 2.0? (follow up to dev)

> * Our local characters (æøå - yes, I hate them too, but they are
> widely used!)

æøå is lovely ... try fighting a bit with cyrrilic ... that's even worse
:)

The worst thing is that the subject line gets scrambled and
hence broken. There is more people that are fighting with this problem.
There shouldn't be much effort putting in a filter before RT that puts the
subject line into an 8-bit mix. Have anybody done anything like that?

RT 2.0 will probably be out in June and will fix those problems once and
forever... :)

> is often transfered as Quoted Printable, and it works
> well

No, the subject line gets scrambled, RT doesn't fix that.

For MIME attachments, take a look at the stripmime contribution.

--
Tobias Brox
aka TobiX
+47 22 925 871

karthy at kom

Apr 6, 2000, 2:52 PM

Post #3 of 7 (631 views)
Permalink

Re: Coockie problems with proxies [In reply to]

>>>>> "Tobias" == Tobias Brox <tobiasb [at] tobiasb> writes:

Tobias> The easy answer is to hack into a file like
Tobias> lib/rt/ui/web/auth.pm or whatever it was and remove the IP
Tobias> from the cookie.

OK - thanks!

>> * Our local characters (æøå - yes, I hate them too, but they are
>> widely used!)

Tobias> æøå is lovely ... try fighting a bit with cyrrilic ... that's
Tobias> even worse :)

I can imagine that :-)

Tobias> The worst thing is that the subject line gets scrambled and
Tobias> hence broken. There is more people that are fighting with this
Tobias> problem. There shouldn't be much effort putting in a filter
Tobias> before RT that puts the subject line into an 8-bit mix. Have
Tobias> anybody done anything like that?

I can live with broken subject lines, but when the content of the
message is unreadable, then I will get a hard time.

Tobias> RT 2.0 will probably be out in June and will fix those
Tobias> problems once and forever... :)

Hmm...Sounds great. Let me get one thing straight. Is rt-1.1 from CVS
the one which will be released as 2.0? (if I will have to hack on
this, I would like to do it on the latest eddition)

>> is often transfered as Quoted Printable, and it works well

Tobias> No, the subject line gets scrambled, RT doesn't fix that.

Tobias> For MIME attachments, take a look at the stripmime
Tobias> contribution.

Yes, but that is not a large problem in our situation...

Best regards
Karsten

charlieb at aurema

Apr 6, 2000, 4:30 PM

Post #4 of 7 (634 views)
Permalink

Re: Coockie problems with proxies [In reply to]

On 6 Apr 2000, Karsten Thygesen wrote:

> >>>>> "Tobias" == Tobias Brox <tobiasb [at] tobiasb> writes:
>
> Tobias> The easy answer is to hack into a file like
> Tobias> lib/rt/ui/web/auth.pm or whatever it was and remove the IP
> Tobias> from the cookie.
>
> OK - thanks!

Or put less of the IP in the cookie - mask it with a network mask. This
was a recommended solution I saw somewhere - I can't remember if it is in
the doco for CGI.pm, or in Apache documentaion, or in a Lincoln Stein book
I have...

Charlie Brady
Aurema Pty Ltd
PO Box 305, Strawberry Hills, NSW 2012, Australia
Email:charlieb [at] aurema, Tel: +61 2 9698 2322, Fax: +61 2 9699 9174
"I think it would be a good idea." Gandhi, on Western Civilisation.

tobiasb at tobiasb

Apr 7, 2000, 12:41 AM

Post #5 of 7 (623 views)
Permalink

Re: Coockie problems with proxies [In reply to]

> I can live with broken subject lines, but when the content of the
> message is unreadable, then I will get a hard time.

You can, but RT can't :) I find it strange you haven't encountered this
problem yet.

> Hmm...Sounds great. Let me get one thing straight. Is rt-1.1 from CVS
> the one which will be released as 2.0? (if I will have to hack on
> this, I would like to do it on the latest eddition)

The rt-1-1 branch is the pre-2.0, yes.

--
Tobias Brox
aka TobiX
+47 22 925 871

sommerfeld at orchard

Apr 7, 2000, 8:36 AM

Post #6 of 7 (632 views)
Permalink

Re: Coockie problems with proxies [In reply to]

> Or put less of the IP in the cookie - mask it with a network mask. This
> was a recommended solution I saw somewhere - I can't remember if it is in
> the doco for CGI.pm, or in Apache documentaion, or in a Lincoln Stein book
> I have...

There's no guarantee that all proxies a user may appear through will
be in the same block, or that you'll be able to guess an appropriately
wide netmask..

If you want security, don't trust the source IP address.. an attacker
trying to steal a session may be coming through the same proxy as the
victim...

Instead, use SSL ..

- Bill

jesse at fsck

Apr 7, 2000, 9:13 AM

Post #7 of 7 (627 views)
Permalink

Re: Coockie problems with proxies [In reply to]

On Fri, Apr 07, 2000 at 11:36:13AM -0400, Bill Sommerfeld wrote:
> If you want security, don't trust the source IP address.. an attacker
> trying to steal a session may be coming through the same proxy as the
> victim...
>
> Instead, use SSL ..
> - Bill
*nod* The goal of the current password hashing was to do something
that would be "slightly" better than http-basic. In production,
SSL is something that you can depend on.

--
jesse reed vincent -- jrvincent [at] wesleyan -- jesse [at] fsck
pgp keyprint: 50 41 9C 03 D0 BC BC C8 2C B9 77 26 6F E1 EB 91
--------------------------------------------------------------
They'll take my private key when they pry it from my cold dead fingers!

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads