Hi, On Wed, May 29, 2013 at 8:30 AM, Paul Poulain <[email protected]> wrote: > - some of them are in CGI mode, behind a proxy, and the problem occurs > a few times a day, or even less.
We've occasionally run into problems with proxies changing the IP address. If your customer has control of the proxy, they should configure it to allow direct access to the Koha database, or at least route traffic through only one of the proxy servers. There is additional discussion of this in bug 5511 [1]. The bug includes a patch to add a system preference to disable the IP address check, but of course doing that would make it easier to hijack the session. I'll ask the same question here that I asked in the bug: Given the continued existence of things like web proxy farms that can result in REMOTE_ADDR changing from request to request, are there any improvements in the state of the art for anti-session-hijacking measures that would reasonably allow us to remove the IP address check (or implement a syspref like Amit's patch tried)? [1] http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=5511 Regards, Galen -- Galen Charlton Manager of Implementation Equinox Software, Inc. / The Open Source Experts email: [email protected] direct: +1 770-709-5581 cell: +1 404-984-4366 skype: gmcharlt web: http://www.esilibrary.com/ Supporting Koha and Evergreen: http://koha-community.org & http://evergreen-ils.org _______________________________________________ Koha-devel mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
