Session Invalidated - several logouts and errors on environment with changing ips

Permalink
Hello everyone

We have a cutomer where the ip changes very often because of a proxy. So we see these errors in the logs:
Session Invalidated. Session IP "123.45.6.789" did not match provided IP "123.45.6.788".


This causes in unexpected logouts and sometimes problems on saving things. I did some research and found out that we could write some configuration for this in /application/config/concrete.php - but am unsure how exactly I should do this. Because it doesn't seem to work. I have done this:

<?php
// Get remote address
$remoteIp = $_SERVER['REMOTE_ADDR'];
return array(
    'security' => array(
        'trusted_proxies' => array(
            'ips' => [$remoteIP, '123.45.6.789', '123.45.6.788']
        ),
    ),   
);


Reference:
https://www.concrete5.org/community/forums/installation/concrete5-on...

Can anyone help me out how to indicate the two known ips correctly?

best regards, Roland

webpresso
 
jasteele12 replied on at Permalink Best Answer Reply
jasteele12
Like Korvin said in the forum post you referenced, you should only put the IPs you trust in the array:
return array(
    'security' => array(
        'trusted_proxies' => array(
            'ips' => ['123.45.6.788', '123.45.6.789']
        ),
    ),
);

You should probably disable all caching, make the change, then restore your cache settings after that.

It would be really nice if some netmask or range syntax was available, like 123.45.6.*
jasteele12 replied on at Permalink Reply
jasteele12
By the way, the [] array syntax only works with PHP 5.4+ (corrected by @A3020)

If your version is less than 5.4 you would need to change
'ips' => ['123.45.6.788', '123.45.6.789']

to this
'ips' => array('123.45.6.788', '123.45.6.789')

Let us know how it goes -John
A3020 replied on at Permalink Reply
A3020
PS. Short array syntax has been added in PHP 5.4 (http://php.net/manual/en/migration54.new-features.php)
jasteele12 replied on at Permalink Reply
jasteele12
Oops, you are correct. I quickly added that reply thinking it could be a PHP versions issue. Post modified...

Thanks for the correction! -John
webpresso replied on at Permalink Reply
webpresso
Thanks a lot for your information! We did the settings today and only added the trusted ip's. So we will check if the logout behaviour stops now.

best regards, Roland