• some guy (unregistered)

    session.getAttribute("frist")

    Also, the entire ordeal left Sophia/Sofia confused about how to spell her name!

  • (nodebb)

    Bonus: 192.168.1 prefix also matches all IP addresses in ranges 192.168.10-192.168.19 and 192.168.100-192.168.199

  • (nodebb) in reply to Kamil Podlesak

    Which is definitely not how subnets work.

  • Rob (unregistered)

    Even if it worked for IPv4, their subnet checking fails horribly for IPv6. I guess they didn't hear about that.

  • (nodebb)

    Tim is more of an Auskranker. Someone who just makes devs (& businesses) sick.

  • (nodebb) in reply to Kamil Podlesak

    In fact, this code (according to the article) doesn't do anything because the session variable isn't set, so it allows IP addresses in ranges 172.43.0-172.43.255, 865.985.0-865.985.999, etc.

  • Duston (unregistered)

    And then the tech overlords put in a proxy server so that every request has the same IP.

  • (nodebb) in reply to Duston

    Since this is JSP which is likely running on Tomcat, a Java flavored Apache httpd, there is a small chance that they could enable to option to use the proxy IP header as the remote addr, which allows access and error logs to show the real address instead of the proxy's. I wouldn't put any money on that though.

  • Bill T (unregistered)

    Kudos to Sophia for being a mentee smart enough to see the errors!

  • xtal256 (unregistered)

    "getRemoteAddr returns an IP address, while getRemoteHost returns a "dotted-string form of the IP address" according to the docs..." To me that suggests that getRemoteAddr returns it as an integer or object, whereas getRemoteHost returns the formatted string. Also, why do people consistently mis-use three letter acronyms like "ATM machine" but when it comes to "IP address" they do the opposite and omit the "address" part? It's not an "IP", it's an "IP address".

    Also also, the article seems to have missed the real WTF, which is that they log an error if the IP addresses don't match but then log another error later saying "oh it's ok ignore the above error"! Just log the "session.invalidated" error inside the "!ip.startsWith(tempIp)" block.

  • Dr Spooner built my spear (unregistered)
    Comment held for moderation.
  • SG (unregistered) in reply to gordonfish
    Comment held for moderation.
  • 56independent (unregistered)
    Comment held for moderation.
  • (nodebb)

    Oh joy, it doesn't handle what happens when someone picks up a laptop and moves from their coffee shop to their office.

  • Ajay Mishra (unregistered)
    Comment held for moderation.
  • Bob (unregistered) in reply to xtal256
    Comment held for moderation.
  • Max Müller (unregistered)

    Another benefit of the (2.5-3 years long) Ausbildung is that you get payed. A Fachinformatiker (likely the job in question) starts at around 980€ (before taxes) + a very decend health insurance + at least 24 days payed leave and around 10 days of payed holidays(and sick leave is not included in the holidays)

  • LZ79LRU (unregistered) in reply to Max Müller
    Comment held for moderation.
  • Ajay Mishra (unregistered)
    Comment held for moderation.
  • [email protected] (unregistered)

    The Bollywood music classes are so much fun! I look forward to each session, knowing I'll leave with a new tune stuck in my head.

    Jugalbandi Learning Studio | Best Bollywood music, Kathak Dance, Painting, drawing, Theatre, Drama, Art, Acting, Classes 9811502348 https://posts.gle/UKZTNv 306, Water Tank Road, opp. Himalaya Appt. Nagar Nigam, Sector 5, Vasundhara, Ghaziabad, Uttar Pradesh 201010

Leave a comment on “Secure Mentorship”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article