problems with AOL users logging on via proxy server

Forum Moderators: phranque

Message Too Old, No Replies

problems with AOL users logging on via proxy server

AOL proxy multiple IP addresses

simontesler

8:57 am on Oct 17, 2003 (gmt 0)

Can anyone help me with this?

We run a password protected information service. Once valid users log on, their IP and logon are effectively locked so that no one else can logon simultaneously using the same username but from a different IP.

This creates a problem for AOL users, because each time they request a new page, the request comes to us from a different IP address (via the AOL proxies), and our server treats the new request like its an unauthorised additional simultaneous logon.

Is there a way we can advise AOL users to reset their settings so that they bypass the proxies, or use only one IP address?

Simon Tesler

isorg

10:36 am on Oct 17, 2003 (gmt 0)

I had similar problems:

[webmasterworld.com...]

In the end I decided not to bother recording the IP address for anyone, because I was getting too many complaints from AOL users saying they cannot access my site. I'm sure there must be a way, but I never worked it out.

Thing is, do you really need to verify the IP address as well as the username/password combination? For my site I decided that the chance of someone logging in as a user with a hacked password at the same time as the genuine user being logged in was too remote to worry about.

Also, my users were not sufficiently IT-literate to rely on them making changes to their browser configuration. I could tell this by the tone of their complaint messages when they couldn't log in. (That's why I went away from cookies to passing variables in the URL).

PCInk

11:07 am on Oct 17, 2003 (gmt 0)

I have a similar problem for a shopping cart. The link in the post above is a fantastic source for information, so I'll post it here again, for convenience:

[webmaster.info.aol.com...]

mykel

10:43 pm on Oct 18, 2003 (gmt 0)

Did you try using the environment variable
HTTP_X_FORWARDED_FOR

?
I don't know about aol, but if someone uses a normal proxy, then you can get his real IP from that.
In PHP that would be:
$ip=getenv("HTTP_X_FORWARDED_FOR");

BlueSky

11:22 pm on Oct 18, 2003 (gmt 0)

AOL is not the only ISP using proxies with dynamic IPs. One of Earthlink's new services puts customers who use it on them too.

HTTP_X_FORWARDED_FOR works okay but not for those using anonymous proxies. That variable can contain multiple IP addresses to include the person's LAN, router, and multiple proxies. So, you have to parse that one out. Though personally I would go with victor's advice in that other thread and not tie an IP to a login.

victor

7:10 am on Oct 19, 2003 (gmt 0)

isorg:

(That's why I went away from cookies to passing variables in the URL).

"Fat URLS" (URLs that are different for each user) carry some risk that some of them will be indexed by search engines.

If some of them do get indexed, then those users' details (or at least customised pages) will be exposed for anyone to see.

This could happen is someone submits:
www/widgets.com/secret-page.html?userid=sdggdgasd
to a search engine.

You can minimize that particular risk by having multiple parameters in the URL (most can dummies) as most SEs will ignore URLs with 3 or more parameters; or, I'm told, most will not index a URL with id=

www/widgets.com/secret-page.html?id=sdggdgasd&d1=ccc&d2=yyy&d3=zzz

But the URLs could still go public if a user adds link to "their" page on their own website.

And other ways too.

isorg

2:33 pm on Oct 19, 2003 (gmt 0)

I hadn't thought of that.

In my case, the personalisation variables are held on the server database and pulled every time the person loads the page. All that is sent between pages is the username and session id.

A URL acquires a session id only when a user logs in. So a spider would not even know about the session ids.