6.0.0-RC7
6/27/26

[#2067] HTTP/HTTPS login issue
Summary HTTP/HTTPS login issue
Queue IMP
Queue Version 4.0.3
Type Bug
State Not A Bug
Priority 2. Medium
Owners Horde Developers (at)
Requester horde (at) padilla (dot) net
Created 6/2/05 (7695 days ago)
Due
Updated 6/6/05 (7691 days ago)
Assigned 6/2/05 (7695 days ago)
Resolved 6/6/05 (7691 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch No

History
542 Chuck Hagenbuch State ⇒ Not A Bug
 
1012 horde (at) padilla (dot) net Comment #6 Reply to this comment
Fair enough, I guess the alternative is to simply set 
$conf['auth']['checkip'] to false.
These are generated by HTTP headers, right? Then yes, forging them
would be too easy.
3911 Jan Schneider Comment #5 Reply to this comment
These are generated by HTTP headers, right? Then yes, forging them 
would be too easy.
5910 Chuck Hagenbuch Comment #4
State ⇒ Feedback		 Reply to this comment
Do we really want to trust that variable? If the point is security, 
this pretty much defeats it, I think.
09 Jan Schneider Assigned to Horde DevelopersHorde Developers
State ⇒ Assigned
 
209 horde (at) padilla (dot) net Comment #3 Reply to this comment
here is the unified diff:



--- ~/horde-3.0.4/lib/Horde/Auth.php Tue Mar 29 12:59:56 2005

+++ lib/Horde/Auth.php  Thu Jun  2 08:00:17 2005

@@ -1080,7 +1080,10 @@

      function _checkSessionIP()

      {

          return (empty($GLOBALS['conf']['auth']['checkip']) ||

-                (isset($_SESSION['__auth']['remote_addr']) && 
$_SESSION['__auth']['remote_addr'] == $_SERVER['REMOTE_ADDR']));

+                (isset($_SESSION['__auth']['remote_addr']) && 
$_SESSION['__auth']['remote_addr'] == $_SERVER['REMOTE_ADDR']) ||

+                (isset($_SESSION['__auth']['remote_addr']) && 
$_SESSION['__auth']['remote_addr'] == $_SERVER['HTTP_CLIENT_IP']) ||

+                (isset($_SESSION['__auth']['remote_addr']) && 
$_SESSION['__auth']['remote_addr'] == $_SERVER['HTTP_X_FORWARDED_FOR'])

+       );

      }



      /**


578 Jan Schneider Comment #2
State ⇒ Feedback		 Reply to this comment
Can you please upload a unified diff of your changes? Thanks.
106 horde (at) padilla (dot) net Comment #1
State ⇒ Unconfirmed
Priority ⇒ 2. Medium
Type ⇒ Bug
Summary ⇒ HTTP/HTTPS login issue
Queue ⇒ IMP		 Reply to this comment
Hi,



I have Horde/IMP set up for using HTTPS only for the part of the 
session where the password is sent ($conf['use_ssl'] = 3;). I (client 
side) am on a network that uses a transparent proxy for HTTP traffic, 
so the HTTP and HTTPS source addresses that hit the server are 
different.



I modified lib/Horde/Auth.php as follows (added checks for 
HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR) and now it works fine:



     function _checkSessionIP()

     {

         return (empty($GLOBALS['conf']['auth']['checkip']) ||

                 (isset($_SESSION['__auth']['remote_addr']) && 
$_SESSION['__auth']['remote_addr'] == $_SERVER['REMOTE_ADDR']) ||

                 (isset($_SESSION['__auth']['remote_addr']) && 
$_SESSION['__auth']['remote_addr'] == $_SERVER['HTTP_CLIENT_IP']) ||

                 (isset($_SESSION['__auth']['remote_addr']) && 
$_SESSION['__auth']['remote_addr'] == $_SERVER['HTTP_X_FORWARDED_FOR'])

         );

     }



Thanks for a great webmail client!

Len Padilla
New Ticket
My Tickets
Search
Query Builder
Reports

Saved Queries

Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers