[Koha-devel] "IP address has changed. Please log in again"
Galen Charlton
gmc at esilibrary.com
Wed May 29 18:07:44 CEST 2013
Hi,
On Wed, May 29, 2013 at 8:30 AM, Paul Poulain <paul.poulain at biblibre.com> wrote:
> - some of them are in CGI mode, behind a proxy, and the problem occurs
> a few times a day, or even less.
We've occasionally run into problems with proxies changing the IP
address. If your customer has control of the proxy, they should
configure it to allow direct access to the Koha database, or at least
route traffic through only one of the proxy servers.
There is additional discussion of this in bug 5511 [1]. The bug
includes a patch to add a system preference to disable the IP address
check, but of course doing that would make it easier to hijack the
session.
I'll ask the same question here that I asked in the bug: Given the
continued existence of things like web proxy farms that can result in
REMOTE_ADDR changing from request to request, are there any
improvements in the state of the art for anti-session-hijacking
measures that would reasonably allow us to remove the IP address check
(or implement a syspref like Amit's patch tried)?
[1] http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=5511
Regards,
Galen
--
Galen Charlton
Manager of Implementation
Equinox Software, Inc. / The Open Source Experts
email: gmc at esilibrary.com
direct: +1 770-709-5581
cell: +1 404-984-4366
skype: gmcharlt
web: http://www.esilibrary.com/
Supporting Koha and Evergreen: http://koha-community.org &
http://evergreen-ils.org
More information about the Koha-devel
mailing list