View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0013035 | mantisbt | security | public | 2011-05-26 17:38 | 2023-02-15 03:51 |
Reporter | scmme | Assigned To | |||
Priority | normal | Severity | major | Reproducibility | have not tried |
Status | acknowledged | Resolution | open | ||
Product Version | 1.2.5 | ||||
Summary | 0013035: Secure Session Support for Platforms masking client source address but injecting HTTP headers | ||||
Description | Some platforms will mask the client source IP address that session validation is based off of. Certain implementations, such as the F5 BigIP will inject the client IP address as a configurable HTTP Header. It is desirable to have support for this so that secure sessions can be used with these devices in these specific configurations. | ||||
Steps To Reproduce | Configure Proxy or solution (ie, F5 Load Balancer) to mask client source address | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
While investigating this I noticed that the behavior for session invalidation also would return the user to the default landing page - in scenarios where we detect that a user has possibly had their session hijacked it may also be desirable to force a log-out. |
|
Potential patch against 1.2.5 branch - adds 3 new configuration variables: session_api now depends on user_api and authentication_api to support logout functionality. |
|