bbs.spamgourmet.com

[Paranoid2000]

For privacy reasons, I use the JAP and Tor anonymizing proxies for all web access. With JAP, where you select a specific mix, Spamgourmet has no issues. However with Tor, the mix of servers that traffic gets routed through does change regularly, resulting in Spamgourmet seeing accesses from a different IP address.

This causes Spamgourmet to lose session details (it returns the message "There was a problem with your login. Please log in again."). While it is sometimes possible to get as far as the "Send a message" screen, it is more usual to end up having to log in repeatedly.

Switching back to JAP avoids this problem but JAP's performance is dire at the moment (due to a server failure at Dresden). Couldn't Spamgourmet just rely on cookies?

[Pkchukiss]

My IP address changes all the time, but i have no problem with SpamGourmet logging me out. Perhaps it is a safety mechanism preventing phishing?

[josh]

sg does tie the login cookie to the IP address, but at the class B level -- is that not broad enough?

Code: Select all

sub getIPToken {
  my $token = shift;
  #my $IPAddress = $ENV{'REMOTE_ADDR'};
  # aol often switches IP addresses - this pull it back to the class B
  $ENV{'REMOTE_ADDR'} =~ /(\d\.\d)/;
  my $IPAddress = $1;
  return  &encrypt($token . $IPAddress);
}


[Paranoid2000]

With Tor, traffic is routed via 3 mix servers by default - these are selected at random and changed periodically by the Tor client. Since anyone (with sufficient bandwidth) can run a Tor server, traffic can end up coming from anywhere, so matching by class B (or class A even) will give problems.

Why not just have a unique ID number in the cookie for session tracking?

[josh]

The cookie is already a unique string -- the IP address check is added on top of that in an effort to foil session hijacking. Admittedly, checking at the class B level is already pretty lax.

[Paranoid2000]

If session hijacking is considered a significant risk, would it not be more effective to require the use of HTTPS instead?

[Paranoid2000]

Well this issue seems to have been fixed - SpamGourmet can now be accessed via Tor without any problems. Thanks for addressing this!

[Paranoid2000]

Whoops - I may have posted too soon here (just received a "login problem" message). SG does seem more usable though...

[Guest]

For privacy reasons, I use the JAP and Tor anonymizing proxies for all web access. With JAP, where you select a specific mix, Spamgourmet has no issues. However with Tor, the mix of servers that traffic gets routed through does change regularly, resulting in Spamgourmet seeing accesses from a different IP address.

This causes Spamgourmet to lose session details (it returns the message "There was a problem with your login. Please log in again."). While it is sometimes possible to get as far as the "Send a message" screen, it is more usual to end up having to log in repeatedly.

Switching back to JAP avoids this problem but JAP's performance is dire at the moment (due to a server failure at Dresden). Couldn't Spamgourmet just rely on cookies?

you can find your ip adderss here: http://www.myipresolve.com and see it it changed.

[Paranoid2000]

Any chance of seeing a fix here? Currently it is almost impossible to get past the first page without being thrown back to the login prompt.

[Paranoid2000]

Aaaahhh...that's better. Thanks!