AOL requests are forwarded via proxy servers - each request is 'round
robined' through x number of proxy servers, each request in the same session
can have a different IP because they were proxied through different servers.
the internal ip address wouldn't change but that isn't the address that the
web server sees - it sees the addresses of the proxy servers. same
principle as NAT but via multiple gateways.
here is a live example from our IIS logs files - some names have been
changed to protect the innocent ;-) :
2004-08-05 19:08:18 152.163.253.33 - 80 GET /valens.htm - 200
www.oursite.com
Mozilla/4.0+(compatible ;+MSIE+6.0;+AOL +9.0;+Windows+N T+5.1) -
2004-08-05 19:09:05 152.163.252.101 - 80 GET /announcements.h tm - 200
www.oursite.com Mozilla/4.0+(compatible ;+MSIE+6.0;+AOL +9.0;+Windows+N T+5.1)
http://www.oursite.com/valens.htm
2004-08-05 19:09:07 152.163.252.194 - 80 GET
/_derived/announcements.h tm_cmp_glacier-roots010_bnr.gi f - 200
www.oursite.com Mozilla/4.0+(compatible ;+MSIE+6.0;+AOL +9.0;+Windows+N T+5.1)
http://www.oursite.com/announcements.htm
2004-08-05 19:09:09 152.163.253.36 - 80 GET /images/AN01249_.gif - 200
www.oursite.com Mozilla/4.0+(compatible ;+MSIE+6.0;+AOL +9.0;+Windows+N T+5.1)
http://www.oursite.com/announcements.htm
2004-08-05 19:09:18 152.163.252.100 - 80 GET /family_forest.h tm - 200
www.oursite.com Mozilla/4.0+(compatible ;+MSIE+6.0;+AOL +9.0;+Windows+N T+5.1)
http://www.oursite.com/announcements.htm
2004-08-05 19:09:20 152.163.252.194 - 80 GET
/_derived/family_forest.h tm_cmp_glacier-roots010_bnr.gi f - 200
www.oursite.com Mozilla/4.0+(compatible ;+MSIE+6.0;+AOL +9.0;+Windows+N T+5.1)
http://www.oursite.com/family_forest.htm
2004-08-05 19:09:42 152.163.253.9 - 80 GET /gallery.htm - 200
www.oursite.com Mozilla/4.0+(compatible ;+MSIE+6.0;+AOL +9.0;+Windows+N T+5.1)
http://www.oursite.com/family_forest.htm
2004-08-05 19:09:46 152.163.252.196 - 80 GET
/_derived/gallery.htm_cmp _glacier-roots010_bnr.gi f - 200
www.oursite.com
Mozilla/4.0+(compatible ;+MSIE+6.0;+AOL +9.0;+Windows+N T+5.1)
http://www.oursite.com/gallery.htm
2004-08-05 19:09:52 152.163.253.36 - 80 GET /contacts.htm - 200
www.oursite.com Mozilla/4.0+(compatible ;+MSIE+6.0;+AOL +9.0;+Windows+N T+5.1)
http://www.oursite.com/gallery.htm
2004-08-05 19:09:53 152.163.252.98 - 80 GET
/_derived/contacts.htm_cm p_glacier-roots010_bnr.gi f - 200
www.oursite.com
Mozilla/4.0+(compatible ;+MSIE+6.0;+AOL +9.0;+Windows+N T+5.1)
http://www.oursite.com/contacts.htm
2004-08-05 19:10:05 152.163.253.98 - 80 GET /guest_book.htm - 200
www.oursite.com Mozilla/4.0+(compatible ;+MSIE+6.0;+AOL +9.0;+Windows+N T+5.1)
http://www.oursite.com/contacts.htm
2004-08-05 19:10:08 152.163.252.104 - 80 GET
/_derived/guest_book.htm_ cmp_glacier-roots010_bnr.gi f - 200
www.oursite.com
Mozilla/4.0+(compatible ;+MSIE+6.0;+AOL +9.0;+Windows+N T+5.1)
http://www.oursite.com/guest_book.htm
2004-08-05 19:10:18 152.163.253.103 - 80 GET /home.htm - 200
www.oursite.com
Mozilla/4.0+(compatible ;+MSIE+6.0;+AOL +9.0;+Windows+N T+5.1)
http://www.oursite.com/guest_book.htm
2004-08-05 19:10:19 152.163.252.101 - 80 GET
/_derived/valens.htm_cmp_ glacier-roots010_vbtn_a .gif - 200
www.oursite.com
Mozilla/4.0+(compatible ;+MSIE+6.0;+AOL +9.0;+Windows+N T+5.1)
http://www.oursite.com/
2004-08-05 19:10:19 152.163.253.36 - 80 GET
/_derived/home.htm_cmp_gl acier-roots010_bnr.gi f - 200
www.oursite.com
Mozilla/4.0+(compatible ;+MSIE+6.0;+AOL +9.0;+Windows+N T+5.1)
http://www.oursite.com/
2004-08-05 19:10:19 152.163.253.103 - 80 GET
/_derived/valens.htm_cmp_ glacier-roots010_vbtn.g if - 200
www.oursite.com
Mozilla/4.0+(compatible ;+MSIE+6.0;+AOL +9.0;+Windows+N T+5.1)
http://www.oursite.com/
2004-08-05 19:10:19 152.163.253.100 - 80 GET /images/j0174006.gif - 200
www.oursite.com Mozilla/4.0+(compatible ;+MSIE+6.0;+AOL +9.0;+Windows+N T+5.1)
http://www.oursite.com/
2004-08-05 19:10:19 152.163.253.101 - 80 GET /images/HM00287_.gif - 200
www.oursite.com Mozilla/4.0+(compatible ;+MSIE+6.0;+AOL +9.0;+Windows+N T+5.1)
http://www.oursite.com/
2004-08-05 19:10:21 152.163.252.98 - 80 GET
/_themes/glacier-roots/aglabul1.gif - 200
www.oursite.com
Mozilla/4.0+(compatible ;+MSIE+6.0;+A
"Kevin Spencer" <ke***@DIESPAMM ERSDIEtakempis. com> wrote in message
news:Og******** ******@TK2MSFTN GP10.phx.gbl...
Within the AOL LAN, IP addresses are assigned on a per-client-session
basis, if I'm not mistaken (at least with dial-up connections). But again, this
is not my area of expertise. Still, I understand quite a bit about networks,
and I can't imagine why an IP address of a machine inside a network would
change within the same client session. It is, again, the "return address"
of the computer on the network.
--
HTH,
Kevin Spencer
Microsoft MVP
.Net Developer
Sometimes you eat the elephant.
Sometimes the elephant eats you.
"gerry" <ge**@hotmail.c om> wrote in message
news:Oc******** ******@TK2MSFTN GP14.phx.gbl... are you sure about that ?
from what I have read about AOL proxies and what i see in my IIS logs -
it seems that this is not true and that there can be multiple ip's for a
single
client within a session.
i don't have the asp.net session id in the log files so i can't be 100%
certain.
Gerry
"Kevin Spencer" <ke***@DIESPAMM ERSDIEtakempis. com> wrote in message
news:OL******** ******@TK2MSFTN GP15.phx.gbl... Hi Hope,
Your method looks pretty sound to me. The client's IP address cannot
change between requests. It is, after all, the "return address" for the
client's HTTP messages.
--
HTH,
Kevin Spencer
Microsoft MVP
.Net Developer
Sometimes you eat the elephant.
Sometimes the elephant eats you.
"Hope Paka" <ut*******@hotm ail.com> wrote in message
news:es******** ******@TK2MSFTN GP09.phx.gbl...
>I am storing user login information (not password) in the session. I
>also
>use, cookieless session. I realized that, if someone copy-pastes the
URL >after he/she logged in to the system to another person, the other
person's >browser opens as if the sender logged in.
>
> 1) Person A Logins to the system. (login information is stored
in SQL > Session state)
>
> 2) Person A copy-paster the url and sends it to person B (format
> of
> the url is http://domain/(sessionid)/XYZ.aspx)
>
> 3) When person B opens the URL, its window opens as if person A
> was
> logged in to the system.
>
> This is a security threat. I have overcome this by doing the
following. >
> When user logins to the system, a login ticket is
generated and > it is stored in the session. This login ticket contains two things,
one is > client ip address, the other one is user-agent.
>
> Then at the each request, I validate if the registered login ticket
> information is same.
>
> If person A sends URL to person B, then I assumed that, person Bs ip
> address should be different than person A.
>
> I found an article on MSND,
> http://msdn.microsoft.com/msdnmag/is...08/WickedCode/ (Foiling
> Session Hijacking Attempts). The way Jeff have done is similar to the
one > that i have done. Is this relaible. The only think i wonder is if the
> users IP address changes at each request!
>
>