From e3bb1390807578e2b9898723e2816a58f2c01e57 Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Tue, 8 Oct 2013 09:33:54 +0530 Subject: [PATCH] Bug - 5511: Check for Change in Remote IP address for Session Security. Disable when remote ip address changes frequently. To Test: 1) Enable the system preference SessionRestrictionByIP 2) Change your system IP. It will not checkout your system IP or signout. Signed-off-by: Martin Renvoize Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi --- C4/Auth.pm | 7 ++++--- .../prog/en/modules/admin/preferences/admin.pref | 7 +++++++ 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index e6c121a29e..1238e8fdb5 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -1162,6 +1162,7 @@ sub checkauth { INPUTS => \@inputs, casAuthentication => C4::Context->preference("casAuthentication"), shibbolethAuthentication => $shib, + SessionRestrictionByIP => C4::Context->preference("SessionRestrictionByIP"), suggestion => C4::Context->preference("suggestion"), virtualshelves => C4::Context->preference("virtualshelves"), LibraryName => "" . C4::Context->preference("LibraryName"), @@ -1352,7 +1353,7 @@ sub check_api_auth { $userid = undef; $sessionID = undef; return ( "expired", undef, undef ); - } elsif ( $ip ne $ENV{'REMOTE_ADDR'} ) { + } elsif ( C4::Context->preference('SessionRestrictionByIP') && $ip ne $ENV{'REMOTE_ADDR'} ) { # IP address changed $session->delete(); @@ -1604,8 +1605,8 @@ sub check_cookie_auth { C4::Context->_unset_userenv($sessionID); $userid = undef; $sessionID = undef; - return ( "expired", undef ); - } elsif ( $ip ne $ENV{'REMOTE_ADDR'} ) { + return ("expired", undef); + } elsif ( C4::Context->preference('SessionRestrictionByIP') && $ip ne $ENV{'REMOTE_ADDR'} ) { # IP address changed $session->delete(); diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/admin.pref b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/admin.pref index f796361611..e2ea9158d6 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/admin.pref +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/admin.pref @@ -63,6 +63,13 @@ Administration: yes: Require no: "Don't require" - staff to log in from a computer in the IP address range specified by their library (if any). + - + - pref: SessionRestrictionByIP + default: 0 + choices: + yes: Enable + no: "Disable" + - Check for Change in Remote IP address for Session Security. Disable when remote ip address changes frequently. # PostgreSQL is supported by CGI::Session but not by Koha. - - Store login session information -- 2.39.5