[Esapi-user] AuthenticationHostException

Rohit Sethi rklists at gmail.com
Sun Feb 27 16:44:01 EST 2011

Hi all, I'm playing around with the File Based Authentication in ESAPI and I
seem to run into a problem and I'm wondering if others have the same issue.
I'm testing with a simple app running on localhost, and for whatever reason
the authenticator seems to sometimes use an ipv6 loopback address (::1) and
at other times it uses an ipv4 loopback address ( I think there's
a string .equals() check to see if the IP address changes for a user within
a session. For example, if I first log in to the app using my browser, and I
then try to log in afterwards when proxying through Burpsuite I get the

02-27 16:32:44 [INFO] [ExampleApplication:Authenticator] - [SECURITY SUCCESS
Anonymous:null at unknown ->]
Password verified for test
02-27 16:32:44 [INFO] [ExampleApplication:DefaultUser] - [SECURITY SUCCESS
test:759065 at 0:0:0:0:0:0:0:1 ->]
Set last successful login time to Sun Feb 27 16:32:44 EST 2011 for test
02-27 16:32:44 [WARN] [ExampleApplication:IntrusionDetector] - [SECURITY
FAILURE test:759065 at 0:0:0:0:0:0:0:1 ->] User session just
jumped from 0:0:0:0:0:0:0:1 to
org.owasp.esapi.errors.AuthenticationHostException: Host change

I'm using ESAPI-2.0-RC7-b-Early-Release.jar on Windows 7 with Firefox 3.6.

I thought about filing a bug but figured I'd ask if this was simply a
problem with configuration, an expected response, or a legitimate bug.

Rohit Sethi
Security Compass
twitter: rksethi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110227/8d0cf609/attachment.html 

More information about the Esapi-user mailing list