From 4622c28bb2ed5d5c695ff55f1f3cd6739d14de99 Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Mon, 22 Apr 2019 23:20:41 +0200 Subject: [PATCH] remove further private IPs from proxys --- api/src/Session.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/api/src/Session.php b/api/src/Session.php index e95f504754..7ea9884c61 100644 --- a/api/src/Session.php +++ b/api/src/Session.php @@ -1260,11 +1260,16 @@ class Session /** * Get the ip address of current users * + * We remove further private IPs (from proxys) as they invalidate user + * sessions, when they change because of multiple proxys. + * * @return string ip address */ public static function getuser_ip() { - return isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; + return isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? + preg_replace('/,10\..*$/', '', $_SERVER['HTTP_X_FORWARDED_FOR']) : + $_SERVER['REMOTE_ADDR']; } /**