[ic] Interchange Session bug with IPv6 only

David Christensen david at endpoint.com
Tue Nov 3 22:42:02 UTC 2009

In Vend/Dispatch.pm, we check the MV_SESSION_ID against a regex to  
validate the contents of the cookie to prevent session hijacking.

The current code checks against IPv4 addresses, but does not handle  
IPv6 correctly:

$CGI::cookie =~ /\bMV_SESSION_ID=(\w{8,32})
     [:_] (
         ( \d{1,3}\. # An IP ADDRESS
     # A user name or domain
     | ([A-Za-z0-9][-\@A-Za-z.0-9]+) )?

My proposal is to add to the list of valid IP addresses a regex that  
matches an IPv6 address as well, perhaps something along these lines:


Exact pattern match is willing to be debated... :-)


David Christensen
End Point Corporation
david at endpoint.com

More information about the interchange-users mailing list