|
|
Posted by Gordon Burditt on 11/05/06 10:35
>> It certainly should generate 2 sessions for accessing two different
>> web sites. Even if they have different IP addresses, that doesn't
>> mean it's not the same machine.
>>
>
>Same IP address same site same connection 2 sessions - should only be 1 -
>It IS the same machine.
No, ISPs very often put many, many web sites (e.g. 100, and no,
that's not an exaggeration) on the same machine and use only a
single IP address to do it. They are *NOT* supposed to be the same
web site, and it *DOES* make a difference which host name you put
in the URL (even though they all point at the same IP). The only
problem with this is that some old browsers, like netscape 1.1,
don't send the Host: header with a HTTP request so it doesn't work,
but nobody uses those any more.
>clearly people are being particularly dense or are deliberately trying to
>disguise a massive security problem by making a simple bug seem complex.
What *security* problem? If nobody can stay logged in, the system
seems pretty secure to me, almost as good as unplugging it, but still
secure.
>Looks like I'll have to start wirting it up for magazine publication.
>Shame because I'd rather have kept it inside the community.
Navigation:
[Reply to this message]
|