View Issue Details

IDProjectCategoryView StatusLast Update
0017742phplist applicationInterface - Administratorpublic08-07-15 15:25
Reporterhedrickbt 
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
PlatformOSLinuxOS VersionUbuntu 1204
Product Version3.0.12 
Target Versionnext patchFixed in Version3.2.0 
Summary0017742: Resolution for "Your IP address has changed. For security reasons, please login again" when behind a proxy
DescriptionWhen phpList is running on a server that has a proxy in front of it - for example Apache, the ip address phpList sees is the one from the proxy server, not the client.

The fix for this is to read the x-forwarded-for instead of remote_addr when it exists.
Steps To ReproduceAccess
browser -> apache http server acting as a proxy -> apache http server with php rendering module.

Additional InformationI have created a git pull request that fixes this issue.
TagsNo tags attached.

Activities

michiel

06-07-15 22:15

manager   ~0056325

You can just do

define("CHECK_SESSIONIP",0);

in your config to avoid these issues. But yes, it may be nice to be safer in those setups as well, and keep the flag.

Have you read https://github.com/phpList/phplist3/blob/master/CONTRIBUTING.md ?

Sounds like you have, as you've gone through all the steps :-)
Last step would be to sign the CLA: https://www.phplist.com/cla

hedrickbt

08-07-15 15:20

reporter   ~0056372

I have signed the CLA

Awesome, you have signed the phpList CLA
Your github login: hedrickbt
Your name: Brooke Hedrick
Date signed: 2015-07-08

I am providing the patch as I believe the IP address change is a reasonable check to help with security and I don't want to disable it. This will also help out anyone that checks out phpList, with a proxy in front, to not have to jump online to figure out what needs to be done when that get that error.

Thank you for your consideration.

michiel

08-07-15 15:25

manager   ~0056373

merged and ready