search

bcit-ci / CodeIgniter

Open Source PHP Framework (originally from EllisLab)
https://codeigniter.com/
MIT License
18.27k stars 7.61k forks source link

session match ip #5613

Closed synanhero closed 6 years ago

synanhero commented 6 years ago

i am using digitalocean. if i enable session match ip $_SERVER['REMOTE_ADDR'] always return my server ip so this looks like it is not trustable

Xcreen commented 6 years ago

$_SERVER['REMOTE_ADDR'] always gives the IP from the machine, from which the request comes.
So you probably using a proxy or load balancer? You can change it to "HTTP_X_FORWARDED_FOR"-Header, but be careful with it!

jim-parry commented 6 years ago

This is a support problem, and should be addressed on the forum, where there are several threads about this already. We use github for bug tracking, thanks.

Xcreen commented 6 years ago

Its a bug. The option "sess_match_ip" is simply not working.
And if you cant fix it, you have to at least mention it in the documentation.

jim-parry commented 6 years ago

This or similar issues have been reported many times (#5287, #4944, #4003, #907, ...). It has shown up on the forum a number of times (threads 71743, 70767, 69099, 66143, ...). The consensus seems to be that this is a CDN/hosting problem, not a bug in any framework, and that a solution needs careful design of primary keys for any session tables and probably using the documented workaround with the Input class (https://www.codeigniter.com/user_guide/libraries/input.html#CI_Input::ip_address). I don't know what more we can do?

Xcreen commented 6 years ago

Yes its a hosting/enviroment issue. I dont know whats the best case to handle it.
But if we cant find a fix for it, we should add a note in the documentation for that option, because there is no information, that it might not work for some enviroments. Maybe we can use the description-field for sess_match_ip for it. https://www.codeigniter.com/user_guide/libraries/sessions.html#session-preferences

narfbg commented 6 years ago

$_SERVER['REMOTE_ADDR'] always return my server ip so this looks like it is not trustable

On the contrary, $_SERVER['REMOTE_ADDR'] is the only trustable source; everything else is spoofable.

You can change it to "HTTP_X_FORWARDED_FOR"-Header, but be careful with it!

"You can use this thing, but be careful with it! I'm not going to tell you about any of the dangers, but be careful!"

... great advice. </sarcasm>

Its a bug. The option "sess_match_ip" is simply not working.

It's not a bug and it works exactly as intended. It may not work like you wish it did, but that doesn't change a thing.

Here's an SO answer of mine on the topic: https://stackoverflow.com/a/44134766/468027

And if you cant fix it, you have to at least mention it in the documentation.

But if we cant find a fix for it, we should add a note in the documentation for that option, because there is no information, that it might not work for some enviroments. Maybe we can use the description-field for sess_match_ip for it.

There's nothing to fix. Again, it works exactly as intended.

Saying it doesn't work because you get hit by the proxy IP is like saying it doesn't work for people sitting behind NAT routers (virtually everybody today) because you don't get their private network addresses ...

Limitations like these are natural, because networks are complicated, fragile and composed of countless technologies. Our documentation is very detailed already, without going into all of this, and we're not about to turn it into a CCNA course.