Giter VIP home page Giter VIP logo

Comments (6)

emilevauge avatar emilevauge commented on August 27, 2024

@onestraw there is an issue indeed, but I don't agree with:

Malicious user can access the specific server forever by setting backend server in cookie

The fact that the server IP is visible in the cookie is the issue, as we shouldn't be able to see this info. But even if a hash were used instead of the ip, a user could forge a request to access this specific server, indeed, this is the whole point of sticky session right? But in this case, he couldn't guess other servers' IP.

from oxy.

onestraw avatar onestraw commented on August 27, 2024

Yes, we shouldn't disclose backend server to client. And we should also avoid giving client possibility to select backend server.

Cookie is used to map the backend server, simple hash can not solve the problem, LB should has some checking method, check some unique data for each client.

If we hash the combination of client address (ip:port, http.Request.RemoteAddr) and backend server (after LB select), the hash value is used as cookie. Client A access the server, GW generates the cookie related the user's address, which is unique. The second time A access the server, GW lookup the map table or try to combine A's address with each server and compare the hash value, ... Client B cannot use A's Cookie as they have different address.

from oxy.

emilevauge avatar emilevauge commented on August 27, 2024

@onestraw I really don't get the issue here. IP is not something we can trust (multiple users can be behind a proxy and have the same IP). Do you have any example of those checks being done on other projects ?

from oxy.

onestraw avatar onestraw commented on August 27, 2024

@emilevauge Yes, we cannot trust client IP, it's just increase the difficult to control of accessing backend server. Currently I don't have verified it, but I will work more on this, and give updates.

from oxy.

emilevauge avatar emilevauge commented on August 27, 2024

@onestraw to be clear, I think it would be a mistake to introduce this check. You should not lose your cookie (and be disconnected) when your IP changes.

from oxy.

onestraw avatar onestraw commented on August 27, 2024

@emilevauge You're right.
I have checked Tengine session sticky module, which is based on Nginx, it has an option using server name's md5 value as cookie. We can hide the server IP at least.

from oxy.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.