View Issue Details

IDProjectCategoryView StatusLast Update
0013035mantisbtsecuritypublic2023-02-15 03:51
Reporterscmme Assigned To 
PrioritynormalSeveritymajorReproducibilityhave not tried
Status acknowledgedResolutionopen 
Product Version1.2.5 
Summary0013035: Secure Session Support for Platforms masking client source address but injecting HTTP headers
Description

Some platforms will mask the client source IP address that session validation is based off of. Certain implementations, such as the F5 BigIP will inject the client IP address as a configurable HTTP Header. It is desirable to have support for this so that secure sessions can be used with these devices in these specific configurations.

Steps To Reproduce

Configure Proxy or solution (ie, F5 Load Balancer) to mask client source address
Enable feature on solution to inject headers (eg, "X-Forwarded-For")
Configure device for multiple exit IP addresses
Ensure g_session_validation is ON
Login to site and attempt to use it

TagsNo tags attached.
Attached Files

Relationships

related to 0029336 acknowledged session died due to Cloudflare proxy 
related to 0028974 acknowledged Multiple issues in session validation function 

Activities

scmme

scmme

2011-05-27 13:34

reporter   ~0028861

While investigating this I noticed that the behavior for session invalidation also would return the user to the default landing page - in scenarios where we detect that a user has possibly had their session hijacked it may also be desirable to force a log-out.

scmme

scmme

2011-05-27 13:37

reporter   ~0028862

Potential patch against 1.2.5 branch - adds 3 new configuration variables:
@global string $g_session_validation_header
@global bool $g_session_validation_header_required
@global bool $g_session_autologout

session_api now depends on user_api and authentication_api to support logout functionality.