[Koha-bugs] [Bug 17050] Accessing the REST API through Plack kicks the session out

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Mon Mar 4 16:46:08 CET 2019


https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17050

Andrew Isherwood <andrew.isherwood at ptfs-europe.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |andrew.isherwood at ptfs-europ
                   |                            |e.com
             Status|CLOSED                      |REOPENED
         Resolution|FIXED                       |---

--- Comment #20 from Andrew Isherwood <andrew.isherwood at ptfs-europe.com> ---
I've been facing this problem, or something very similar, today.

This is on 18.11.03.000 with Plack and memcached enabled and with the
SessionRestrictionByIP syspref enabled. I am finding that API requests that
require authorisation are causing the session to time out. This manifests
itself as the API request returning a 401, with the body {"error":"Session has
been expired."}.

After doing some digging, the "timeouts" happen because the condition on this
line fails:

https://github.com/PTFS-Europe/koha/blob/18.11.03/C4/Auth.pm#L912

Specifically, $ip is coming back from the session store as 127.0.0.1 and
$ENV{'REMOTE_ADDR'} is the true client IP, so they do not match and the
condition fails.

So, it seems to me that when the session is created, for some reason 127.0.0.1
is being stored as the remote IP. Doing some research, the "acknowledged" way
of ensuring the remote IP passes through an Apache proxy cleanly is:

ProxyPreserveHost On

However, including this in the Apache config doesn't resolve the problem. 

Anyone got any ideas?

-- 
You are receiving this mail because:
You are watching all bug changes.


More information about the Koha-bugs mailing list