According to Tim Nowaczyk:
>
> My company implemented this but went one more step. They created a
> file that had (IP, ticket) pairs. The ticket was passed around in
> URLs, but wasn't valid unless it came from the specific IP. To
> pretend to be someone else, one would have to spoof their IP and
> guess the value of their (10 hour life-cycle) ticket. We did this,
> originally, because we wanted to support web browsers that didn't
> use cookies. The file was, actually, more like (IP, ticket,
> cookie-type-options-and-settings). It worked well for us.
>
You are lucky. There are two cases which will invalidate this
solution:
1) A bunch of users are behind a single web proxy (such as squid) so
they all appear to come from the same IP address. This means you
will have multiple tickets for the same IP.
2) A bunch of users are behind a multi-parented web proxy, in which
case the users will appear to come from one of a number of
addresses. This leads to bizarre behaviour - the user
authenticates successfully but gets kicked off later because the
ticket/IP pair don't match because a different parent to the one
the user authenticated on happened to handle the request.
--
===============================================================================
Brett Lymn, Computer Systems Administrator, BAE SYSTEMS
===============================================================================
