[Zope] Access Permission by Domain and without Login?
Dieter Maurer
dieter at handshake.de
Mon Jun 14 14:32:23 EDT 2004
sathya wrote at 2004-6-14 10:35 -0500:
>is the domain filtering in zope going by the client ip in the http header ?
>
>i assume you mean the clientip value in the http header can be set to
>any value without affecting the actual IP it originated from ?
>
>if thats the case then domain filtering in zope is not useful in my
>opinion. please point out fallacies in my reasoning if any :)
I expect (though did not check) that the HTTP header "REMOTE_ADDR"
is set by the Web server to the ip of the incoming socket connection
-- independent of any "REMOTE_ADDR" that might be present in
the request.
Nevertheless, this ip might quite easily have been forged.
--
Dieter
More information about the Zope
mailing list