View Issue Details

IDProjectCategoryView StatusLast Update
0029336mantisbtbugtrackerpublic2023-02-15 03:51
Reporterdevnull Assigned To 
PrioritynormalSeverityminorReproducibilitysometimes
Status acknowledgedResolutionopen 
Platformamd64OSFreeBSDOS Version13
Product Version2.25.2 
Summary0029336: session died due to Cloudflare proxy
Description

Hello,

I use CloudFlare proxy in DNS to access my website to prevent DDOS and other attacks.
Cloudflare act as a reverse proxy between the website visitor and the server.
The IP address that server receive isn't Client IP address, but Cloudflare IP address.
So, the IP address can change in the same session, Cloudflare uses many IP address randomly.

As you can see error.log in Apache, in same session, IP address changed from 172.68.27.242 to 172.68.26.143:

[Fri Dec 03 15:02:29] [client 172.68.27.242] AH01071: Got error 'PHP message: PHP Warning: 2702 in /usr/local/www/apache24/data/apt322.org/abc71/bugtracker/core/session_api.php on line 218', referer: https://apt322.org/abc71/bugtracker/view_all_bug_page.php

[Fri Dec 03 15:03:11] [client 172.68.26.143] AH01071: Got error 'PHP message: PHP Warning: 2702 in /usr/local/www/apache24/data/apt322.org/abc71/bugtracker/core/session_api.php on line 218', referer: https://apt322.org/abc71/bugtracker/view_all_bug_page.php

To solve the problem, I temporary remove if( $t_user_ip != $t_last_ip ) {...} block in bugtracker/core/session_api.php.

So, it is possible to obtain the real Client IP address (CF-CONNECTING-IP) to work properly?
Or do you have any other solution for that?

TagsNo tags attached.

Relationships

related to 0012771 new Users behind proxy will get 'ERROR_SESSION_NOT_VALID' if secure_session is checked durring login 
related to 0013035 acknowledged Secure Session Support for Platforms masking client source address but injecting HTTP headers 
related to 0032022 closeddregad Image upload issue 

Activities

atrol

atrol

2021-12-03 12:21

developer   ~0066062

You could deactivate session validation by adding the following lines to config_inc.php

$g_session_validation = OFF;

https://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.config.webserver

devnull

devnull

2021-12-03 12:53

reporter   ~0066063

Last edited: 2021-12-03 15:23

Thanks, astrol.
It solves the problem too, although security risks envolved.

In future versions, if possible evaluate use "x-forwarded-for" to identify real IP address connected throw http proxy, it really welcome.
Thus, we can keep session validation ON.

Thanks again for your assistance!

atrol

atrol

2021-12-04 13:59

developer   ~0066064

use "x-forwarded-for" to identify real IP address

In case someone should start working on this, some more information that should be considered
https://stackoverflow.com/questions/3003145/how-to-get-the-client-ip-address-in-php
https://stackoverflow.com/questions/5421144/php-get-real-ip-proxy-detection

dregad

dregad

2023-02-15 03:42

developer   ~0067391

The problem with using on X-Forwarded-For header, is that it can easily be spoofed so it is not a reliable source of information in the context of session validation.