Roy (owdbetts) wrote in lj_dev,
Roy
owdbetts
lj_dev

X-Forwarded-For

Ok, I posted this in the support forum, and they told me to post here instead :-)

I've had a long running problem with the "bind to IP address" feature simply logging me out of LJ when I was accessing the site through a squid proxy.

I finally tracked this down to the presence of the X-Forwarded-For header in the HTTP requests that squid is generating. Configuring squid to suppress this header fixes the problem.

This appears to be related to code in LiveJournal.pm, which looks at various headers including X-Forwarded-For, presumably in an attempt to get the original IP address from your front-end proxy servers.

Somehow the presence of this header in the original request (as seen by LJ) seems to confuse LJ's notion of what IP address I'm coming from.

This is clearly a bug (and a frustrating one, because the cause of the problem is not at all obvious to the user), though I realize probably not a high priority.

However, this also raises another concern: is it possible for someone to fool this code into thinking they're coming from an address of their choice, simply by adding appropriate headers to their HTTP request, and thus bypass the protection of the "bind to IP address" feature?

-roy

Update: Reported in Zilla as bug #1697. Technical discussion of this should probably take place there, rather than in comments here.
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 24 comments