[ previous ] [ next ] [ threads ]
 
 From:  "Jonathan De Graeve" <Jonathan dot De dot Graeve at imelda dot be>
 To:  "Manuel Kasper" <mk at neon1 dot net>
 Cc:  "Mono Dev List" <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  The effect of kick concurrent logins, radius_mac and multiple http sessions
 Date:  Thu, 20 Apr 2006 11:53:05 +0200
Even with the fixes commited to the SVN I still have the following issue
with browsers like flock (sometimes mozilla) and using radius
mac_authentication

Apr 20 11:36:55 CONCURRENT LOGIN - TERMINATING OLD SESSION:
00:40:96:ab:4e:fa, 00:40:96:ab:4e:fa, 192.168.3.238 
Apr 20 11:36:55 MACHINE LOGIN: 00:40:96:ab:4e:fa, 00:40:96:ab:4e:fa,
192.168.3.238 
Apr 20 11:36:54 CONCURRENT LOGIN - TERMINATING OLD SESSION:
00:40:96:ab:4e:fa, 00:40:96:ab:4e:fa, 192.168.3.238 
Apr 20 11:36:54 MACHINE LOGIN: 00:40:96:ab:4e:fa, 00:40:96:ab:4e:fa,
192.168.3.238 
Apr 20 11:36:53 MACHINE LOGIN: 00:40:96:ab:4e:fa, 00:40:96:ab:4e:fa,
192.168.3.238

The problem is that the browser sents out multiple http requests for
(sometimes different) a site before being logged on.

This is seen as 3 concurrent logins in the case the browser send out 3
requests.

Before commiting the current fixes to svn, ALL login sessions where
locked for 10 seconds due to the way the locking mechanism worked so the
browser seemed to 'hang'. The changes to SVN fixes the locking behaviour
so that for the clientside the login is near 'realtime'.

The current problem sits in the way we are handling concurrent logins.

A) we have concurrent login based on ip.
B) we have kick concurrent login based on username

2 things which I think should be handled differently.

*) if situation A) occurs, a situation which actually should never
happen but it does in this specific case it is safe to reuse the old
session instead of starting a new one right?

*) if situation B) occurs, a situation which is possibly allowed
depending on the configuration we only should disconnect the old session
in the following case:
	1) username is the same AND clientip isn't! 
	If username and clientip is the same, this should already been
caught by A)

This is my opinion, please let think it over with me and let me know.

J.




-- 
Jonathan De Graeve
Network/System Engineer
Imelda vzw
Informatica Dienst
+32 15/50.52.98
jonathan dot de dot graeve at imelda dot be

---------
Always read the manual for the correct way to do things because the
number of incorrect ways to do things is almost infinite
---------