[horde] Clients with multiple IP addresses being forcibly logged out
Rick Romero
rick at havokmon.com
Tue Aug 23 14:47:16 UTC 2016
Quoting Ole Wolf <wolf at blazingangles.com>:
> My Horde PC has two IP addresses: an IPv4 address and an IPv6 address.
> My client PC also has an IPv4 address and an IPv6 address.
>
> This means that sometimes my client PC will connect to the horde server
> using my client PC's IPv4 address, and shortly after it will use its
> IPv6 address. And so Horde logs me out warning me that my IP address has
> changed. For example:
>
> 2016-08-21T21:04:30+02:00 NOTICE: HORDE User XXXXXX is not authorized
> (Remote host: 192.168.2.103) [pid 28749 on line 324 of
> "/usr/share/php/Horde/Registry.php"]
>
> followed shortly after a login by:
>
> 2016-08-21T21:14:05+02:00 NOTICE: HORDE User XXXXXX is not authorized
> (Remote host: 2001:XXXXXXXXXX:23b0) [pid 27096 on line 324 of
> "/usr/share/php/Horde/Registry.php"]
>
> I realize it's a security feature, but here's the problem: multiple
> client IP addresses is a valid setup (e.g., caused by IPv4 aliases,
> multiple network cards, or multiple IPv6 addresses), so how do I resolve
> this? Is there a configuration
> option in Horde that I can't find that allows me to disable the IP
> address verification?
horde/config/conf.php:
$conf['auth']['checkip'] = false;
Or Authentication Tab in Horde Configuration page -
* $conf[auth][checkip]
Should we always store and validate the IP address of the client (as seen
by the web server) in the session? Doing so will help increase security by
making it harder for an attacker from another host to hijack the session.
More information about the horde
mailing list