On 2 June 2010 18:11, Joshua Paine <jos...@letterblock.com> wrote: > Only 127.0.0.1 is privileged, right? So can we just not trust > X-Forwarded-For: 127.0.0.1 no matter who says it, and not worry if > X-Forwarded-For is abused otherwise? >
No. Fossil keys its login cookies off the user's IP address. If the user can provide X-Forwarded-For, then stealing a cookie becomes a lot more useful.
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
