From e3bb1390807578e2b9898723e2816a58f2c01e57 Mon Sep 17 00:00:00 2001
From: Amit Gupta <amitddng135@gmail.com>
Date: Tue, 8 Oct 2013 09:33:54 +0530
Subject: [PATCH] Bug - 5511: Check for Change in Remote IP address for Session
 Security. Disable when remote ip address changes frequently.

To Test:
1) Enable the system preference SessionRestrictionByIP
2) Change your system IP. It will not checkout your system IP or signout.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
---
 C4/Auth.pm                                                 | 7 ++++---
 .../prog/en/modules/admin/preferences/admin.pref           | 7 +++++++
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/C4/Auth.pm b/C4/Auth.pm
index e6c121a29e..1238e8fdb5 100644
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -1162,6 +1162,7 @@ sub checkauth {
         INPUTS                                => \@inputs,
         casAuthentication                     => C4::Context->preference("casAuthentication"),
         shibbolethAuthentication              => $shib,
+        SessionRestrictionByIP                => C4::Context->preference("SessionRestrictionByIP"),
         suggestion                            => C4::Context->preference("suggestion"),
         virtualshelves                        => C4::Context->preference("virtualshelves"),
         LibraryName                           => "" . C4::Context->preference("LibraryName"),
@@ -1352,7 +1353,7 @@ sub check_api_auth {
                 $userid    = undef;
                 $sessionID = undef;
                 return ( "expired", undef, undef );
-            } elsif ( $ip ne $ENV{'REMOTE_ADDR'} ) {
+            } elsif ( C4::Context->preference('SessionRestrictionByIP') && $ip ne $ENV{'REMOTE_ADDR'} ) {
 
                 # IP address changed
                 $session->delete();
@@ -1604,8 +1605,8 @@ sub check_cookie_auth {
             C4::Context->_unset_userenv($sessionID);
             $userid    = undef;
             $sessionID = undef;
-            return ( "expired", undef );
-        } elsif ( $ip ne $ENV{'REMOTE_ADDR'} ) {
+            return ("expired", undef);
+        } elsif ( C4::Context->preference('SessionRestrictionByIP') && $ip ne $ENV{'REMOTE_ADDR'} ) {
 
             # IP address changed
             $session->delete();
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/admin.pref b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/admin.pref
index f796361611..e2ea9158d6 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/admin.pref
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/admin.pref
@@ -63,6 +63,13 @@ Administration:
                   yes: Require
                   no: "Don't require"
             - staff to log in from a computer in the IP address range <a href="/cgi-bin/koha/admin/branches.pl">specified by their library</a> (if any).
+        -
+            - pref: SessionRestrictionByIP
+              default: 0
+              choices:
+                  yes: Enable
+                  no: "Disable"
+            - Check for Change in Remote IP address for Session Security. Disable when remote ip address changes frequently.
         # PostgreSQL is supported by CGI::Session but not by Koha.
         -
             - Store login session information
-- 
2.20.1