View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0013035||mantisbt||security||public||2011-05-26 17:38||2023-02-15 03:51|
|Priority||normal||Severity||major||Reproducibility||have not tried|
|Summary||0013035: Secure Session Support for Platforms masking client source address but injecting HTTP headers|
Some platforms will mask the client source IP address that session validation is based off of. Certain implementations, such as the F5 BigIP will inject the client IP address as a configurable HTTP Header. It is desirable to have support for this so that secure sessions can be used with these devices in these specific configurations.
|Steps To Reproduce|
Configure Proxy or solution (ie, F5 Load Balancer) to mask client source address
|Tags||No tags attached.|
patch_sessioninvalidation (3,771 bytes)
While investigating this I noticed that the behavior for session invalidation also would return the user to the default landing page - in scenarios where we detect that a user has possibly had their session hijacked it may also be desirable to force a log-out.
Potential patch against 1.2.5 branch - adds 3 new configuration variables:
session_api now depends on user_api and authentication_api to support logout functionality.