Tags:
create new tag
, view all tags

Feature Proposal: New TWiki Config var remoteUserNets

Motivation

The doRememberRemoteUser feature is useful in a LAN environment, however not so when TWiki users access your install via NAT addresses. The addition of the comma separated var remoteUserNets lets the TWiki administrator control which IP addresses are allowed to be saved in the remoteUserFilename.

Description

This patch requires the use of a new TWiki.cfg variable named $remoteUserNets AND the Perl Module NetAddr::IP.

-- JeffreyHorner - 31 Mar 2005

Impact and Available Solutions

Note: Patch is attached as http://twiki.org/p/pub/Codev/DoRememberRemoteUserEnhancement/RemoteUserNets.patch. The patch is against the TWikiRelease02Sep2004.

Examples

Suppose you set $remoteUserNets in TWiki.cfg like this:

$remoteUserNets = '192.168.0.0/16,10.1.0.0/16';

Then only IP addresses that fall within either 192.168.0.0/16 or 10.1.0.0/16 will be remembered if necessary in the $remoteUserFilename file.

Implementation

This patch augments the subroutine InitializeRemoteUser in TWiki.pm.

Once the subroutine determins that there is a valid $remoteAddr and that the $doRememberRemoteUser is set to true, we then determine if $remoteAddr falls within the IP ranges specified in $remoteUserNets:

    # Only remember if IP address within $emoteUserNets
    if( defined $remoteUserNets and $remoteUserNets ne '' ) {
        require NetAddr::IP;
        my $match = 0;
        foreach my $netstr ( split( /,/, $remoteUserNets ) ) {
            my $net = new NetAddr::IP $netstr;

            if( ! defined $net ) {
                writeWarning "$netstr is noraises t a valid IP Network address in \$remoteUserNets. Please fix in TWiki.cfg.";
                next;
            }
            if( $net->contains( new NetAddr::IP $remoteAddr ) ) {
                $match = 1;
                last;
            }
        }
        if( ! $match ) {
            return $remoteUser;
        }
    }


Discussion:

Good idea! I confess that if I want any kind of session control beyond the current default I always move to SessionPlugin. That rather suggests the question of whether what you have done here is something that should be in the default install, which after all is targeted at intranets and should be as lightweight as possible, or whether it should be in a plugin.

  • Pros for a core implementation
    1. Trivial, once done everyone gets it
  • Cons
    1. Additional CPAN module dependency
    2. Not required on typical install
    3. Adds complexity to the install for a new user (another thing to think about)
    4. More code in the core
On balance, I think it should be in a plugin - specifically it should be in SessionPlugin.

-- CrawfordCurrie - 02 Apr 2005

I do not see this solves much.

Let us look at the two cases: Business Intranet, and public Internet.

  • Intranet. the doRememberUser feature is no good. Half the time we use TWiki in Motorola it is from a meeting room computer. So the next user that logs in has the same IP address and TWiki thinks I am someone else. So Remember User by IP address in a business Intranet is no good.
  • Public internet: Here most private users have their own IP address. But often they are dynamic. People that access from a business network access through a NAT router so 10000 users can have the same IP address seen from TWiki. So remember user by IP address is no good for public TWikis either.

I would rather remove the feature completely!

And instead include the SessionPlugin in the standard TWiki distribution. TWiki needs a proper session handling so very badly. I use the SessionPlugin both on our company Internet and on my public Motion Twiki.

In fact - if Dakar is released and the SessionPlugin does not work - I will wait upgrading until the plugin is upgraded and working. It is so essential that a user login is remembered consistantly.

An additional important factor in a business environment is that most often the content of a TWiki in a business contains information which means that I must have read access rights to entire webs. Without the SessionPlugin each page load take 3-7 seconds extra because that is how long it takes to LDAP authenticate on a corporate LDAP server 6000 km away serving 100000 users. With SessionPlugin the users waits the 3-7 seconds ONCE every time they open a new fresh browser window which is easy to live with.

-- KennethLavrsen - 02 Apr 2005

I'm very aware of the need to have SessionPlugin working with Dakar. That's why it's in DakarReleaseNotes as a working plugin. Because it does. Already. So does AuthPagePlugin.

-- CrawfordCurrie - 02 Apr 2005

That is very good news. I was not aware of this latest update on the release notes.

I still think that the session handling should be part of the core code or at least part of the default set of plugins and that the IP address based do remember feature should be removed because it confuses more than it helps simply because you cannot identify people based on IP address in practical. And with SessionPlugin combined with AuthPagePlugin (also new to me) it seems TWiki is really getting a fully featured login/maintain session/logout functionality.

-- KennethLavrsen - 03 Apr 2005

Thanks for the comments...

I agree that the $doRememberUserRemoteUser feature should go away completely, and I agree that this patch is really a crutch. Because of recent developments, I believe the SessionPlugin should be part of the base install and be configurable.

I just found out, when we turned off the $doRememberRemoteUser feature, that no one on our site is able to view their personalized WebLeftBar, so we'll be installing the SessionPlugin with a login page RSN.

-- JeffreyHorner - 04 Apr 2005

Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatpatch RemoteUserNets.patch r1 manage 2.4 K 2005-03-31 - 17:57 JeffreyHorner Patch to add functionality for TWiki config var remoteUserNets
Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r6 - 2005-04-04 - JeffreyHorner
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.