Tickets :: [#2067] HTTP/HTTPS login issue

6.0.0-beta1

9/10/25

Summary	HTTP/HTTPS login issue
Queue	IMP
Queue Version	4.0.3
Type	Bug
State	Not A Bug
Priority	2. Medium
Owners	Horde Developers (at)
Requester	horde (at) padilla (dot) net
Created	06/02/2005 (7405 days ago)
Due
Updated	06/06/2005 (7401 days ago)
Assigned	06/02/2005 (7405 days ago)
Resolved	06/06/2005 (7401 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch	No

06/06/2005 02:40:54 PM	Chuck Hagenbuch	State ⇒ Not A Bug

06/06/2005 12:06:10 PM	horde (at) padilla (dot) net	Comment #6	Reply to this comment
Fair enough, I guess the alternative is to simply set $conf['auth']['checkip'] to false. These are generated by HTTP headers, right? Then yes, forging them would be too easy.

06/06/2005 11:26:39 AM	Jan Schneider	Comment #5	Reply to this comment
These are generated by HTTP headers, right? Then yes, forging them would be too easy.

06/02/2005 10:42:59 PM	Chuck Hagenbuch	Comment #4 State ⇒ Feedback	Reply to this comment
Do we really want to trust that variable? If the point is security, this pretty much defeats it, I think.

06/02/2005 09:24:00 AM	Jan Schneider	Assigned to Horde Developers State ⇒ Assigned

06/02/2005 09:04:20 AM	horde (at) padilla (dot) net	Comment #3	Reply to this comment
here is the unified diff: --- ~/horde-3.0.4/lib/Horde/Auth.php Tue Mar 29 12:59:56 2005 +++ lib/Horde/Auth.php Thu Jun 2 08:00:17 2005 @@ -1080,7 +1080,10 @@ function _checkSessionIP() { return (empty($GLOBALS['conf']['auth']['checkip']) \|\| - (isset($_SESSION['__auth']['remote_addr']) && $_SESSION['__auth']['remote_addr'] == $_SERVER['REMOTE_ADDR'])); + (isset($_SESSION['__auth']['remote_addr']) && $_SESSION['__auth']['remote_addr'] == $_SERVER['REMOTE_ADDR']) \|\| + (isset($_SESSION['__auth']['remote_addr']) && $_SESSION['__auth']['remote_addr'] == $_SERVER['HTTP_CLIENT_IP']) \|\| + (isset($_SESSION['__auth']['remote_addr']) && $_SESSION['__auth']['remote_addr'] == $_SERVER['HTTP_X_FORWARDED_FOR']) + ); } /**

06/02/2005 08:47:57 AM	Jan Schneider	Comment #2 State ⇒ Feedback	Reply to this comment
Can you please upload a unified diff of your changes? Thanks.

06/02/2005 06:02:10 AM	horde (at) padilla (dot) net	Comment #1 State ⇒ Unconfirmed Priority ⇒ 2. Medium Type ⇒ Bug Summary ⇒ HTTP/HTTPS login issue Queue ⇒ IMP	Reply to this comment
Hi, I have Horde/IMP set up for using HTTPS only for the part of the session where the password is sent ($conf['use_ssl'] = 3;). I (client side) am on a network that uses a transparent proxy for HTTP traffic, so the HTTP and HTTPS source addresses that hit the server are different. I modified lib/Horde/Auth.php as follows (added checks for HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR) and now it works fine: function _checkSessionIP() { return (empty($GLOBALS['conf']['auth']['checkip']) \|\| (isset($_SESSION['__auth']['remote_addr']) && $_SESSION['__auth']['remote_addr'] == $_SERVER['REMOTE_ADDR']) \|\| (isset($_SESSION['__auth']['remote_addr']) && $_SESSION['__auth']['remote_addr'] == $_SERVER['HTTP_CLIENT_IP']) \|\| (isset($_SESSION['__auth']['remote_addr']) && $_SESSION['__auth']['remote_addr'] == $_SERVER['HTTP_X_FORWARDED_FOR']) ); } Thanks for a great webmail client! Len Padilla