[Koha-bugs] [Bug 17427] Replace CGI::Session with Data::Session
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Oct 21 17:50:32 CEST 2016
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17427
--- Comment #9 from Tomás Cohen Arazi <tomascohen at gmail.com> ---
(In reply to Martin Renvoize from comment #8)
> Comment on attachment 56572 [details] [review]
> Bug 17427: Replace CGI::Session with Data::Session
>
> Review of attachment 56572 [details] [review]:
> -----------------------------------------------------------------
>
> Generally looks good.. minor question about using ENV though.. not sure
> about that part of the change.
>
> ::: C4/Auth.pm
> @@ +1111,4 @@
> > $session->param( 'branchname', $branchname );
> > $session->param( 'flags', $userflags );
> > $session->param( 'emailaddress', $emailaddress );
> > + $session->param( 'ip', $ENV{REMOTE_ADDR} );
>
> Did we test this against plack? Can we really rely on ENV for
> remote_addr... and in fact.. do we not compare the session ip to the env
> remote_addr in places as a security check?
$ENV{REMOTE_ADDR} is correctly filled on each request by the ReverseProxy
middleware as far as I recall (I debugged plack+ENV several days before making
the packages plack integration official).
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list