[MediaWiki-commits] [Gerrit] otrs: disable SessionCheckRemoteIP - change (operations/puppet)

Wed, 30 Sep 2015 20:12:56 -0700 

Faidon Liambotis has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/242789

Change subject: otrs: disable SessionCheckRemoteIP
......................................................................

otrs: disable SessionCheckRemoteIP

Disable remote IP checks for sessions. We use Cookies over TLS so we
don't need this extra check.  Having it enabled is actually hurtful, as
it logs out users that e.g. use IPv6 with privacy extensions enabled.

This is insecure before OTRS 4.0, because the session token is getting
leaked on the address bar after login and users may inadvertently share
their session by sharing the URL with someone else (upstream OTRS bug
8008).

Bug: T87217
Change-Id: I3286690a74df4ec80c9e6263326cb14578eb2a53
---
M modules/otrs/templates/Config.pm.erb
1 file changed, 5 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/89/242789/1

diff --git a/modules/otrs/templates/Config.pm.erb 
b/modules/otrs/templates/Config.pm.erb
index 5aeecb4..0751e65 100644
--- a/modules/otrs/templates/Config.pm.erb
+++ b/modules/otrs/templates/Config.pm.erb
@@ -68,6 +68,11 @@
     # $Self->{SessionUseCookie} = 0;
     # $Self->{CheckMXRecord} = 0;
 
+    # Disable remote IP checks for sessions. We use Cookies over TLS so we
+    # don't need this extra check.  Having it enabled is actually hurtful, as
+    # it logs out users that e.g. use IPv6 with privacy extensions enabled.
+    $Self->{SessionCheckRemoteIP} = 0;
+
     $Self->{CheckEmailInvalidAddress} = '@(aaaaarenulxxxx)\.(..|...)$';
 
     # ---------------------------------------------------- #

-- 
To view, visit https://gerrit.wikimedia.org/r/242789
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I3286690a74df4ec80c9e6263326cb14578eb2a53
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to