[horde] checkSessionIP and proxies
Juan Germano
jigermano at uolsinectis.com.ar
Mon Dec 13 13:58:31 PST 2004
Hi. I was getting the 'Your Internet Address has changed since the
beginning of your session. To protect your security, you must login
again' message altough my IP address hadn't changed. The reason is that we
have a number of proxies with round bind balance, so
$_SERVER['REMOTE_ADDR'] changes all the time. I believe
$_SERVER['HTTP_X_FORWARDED_FOR'] should be used instead in these cases so
I made the necesary changes. Feel free to correct if you don't like my
coding style. Also, I'm not so sure one should check for either variable
available, but maybe set somewhere which one we're using? Are there cases
where this would break things?
Index: Auth/Auth.php
===================================================================
RCS file: /repository/framework/Auth/Auth.php,v
retrieving revision 1.142
diff -u -b -r1.142 Auth.php
--- Auth/Auth.php 29 Oct 2004 21:21:54 -0000 1.142
+++ Auth/Auth.php 13 Dec 2004 21:48:01 -0000
@@ -671,7 +671,7 @@
'credentials' => $credentials,
'realm' => $realm,
'timestamp' => time(),
- 'remote_addr' => isset($_SERVER['REMOTE_ADDR']) ?
$_SERVER['REMOTE_ADDR'] : null,
+ 'remote_addr' =>
isset($_SERVER['HTTP_X_FORWARDED_FOR'])?$_SERVER['HTTP_X_FORWARDED_FOR']:(isset($_SERVER['REMOTE_ADDR'])
? $_SERVER['REMOTE_ADDR'] : null),
'browser' => $GLOBALS['browser']->getAgentString(),
);
@@ -1079,8 +1079,8 @@
*/
function _checkSessionIP()
{
- return (empty($GLOBALS['conf']['auth']['checkip']) ||
- (isset($_SESSION['__auth']['remote_addr']) &&
$_SESSION['__auth']['remote_addr'] == $_SERVER['REMOTE_ADDR']));
+ return (empty($GLOBALS['conf']['auth']['checkip']) ||
((isset($_SESSION['__auth']['remote_addr']) &&
+ (($_SESSION['__auth']['remote_addr'] ==
$_SERVER['REMOTE_ADDR'])||($_SESSION['__auth']['remote_addr'] ==
$_SERVER['HTTP_X_FORWARDED_FOR']))))) ;
}
/**
--
Juan Germano
More information about the horde
mailing list