Problem with Concrete 5.6.3.1 . Cannot login possibly due to new XSS permissions

Permalink
I am having a bit problem with Concrete 5.6.3.1. At the location where I am doing one edit, the fibre connection keeps out churning different IP addresses. When I try to log in, I can't seem to access the edit and dashboard bar (I get the blank white toolbar only and only if I click keep me logged in. If I don't click the keep me logged in, the page just refreshes even though login credentials are right)

However, when I tether my phone (which gives my connection a fixed IP address), I am able to log in perfectly and without issue. (I can access the edit button, dashboard without problem)

This has let me to believe that some additional permissions (XSS perhaps) in Concrete 5.6 has made the sessions impossible to work if you are on a connection which has IP addresses which change every minute.

This problem has been replicated in 2 different locations (with similar fibre connection with rotating IP Addresses) and verified in another location (with a fixed IP address)

Is there any way for C5 sessions to work properly with rotating IP addresses? Or is there a way to disable the xss code so it works like v5.5?

 
jjtml replied on at Permalink Reply
Just an update, I have a c5 v5.6.1.2 installation on the exact same server. I can access the edits and dashboard from the PC on network with IP changes.

However, another install I have on v5.6.3.1 on a different server allows me to login and access the edit and dashboard properly. Is there any setting on the first server that I need to change to sort of delink the sessions and IP address changes?
jjtml replied on at Permalink Best Answer Reply
Ok I found the solution. If any of you guys have the same problem with IP refreshing, just go to the sessions.php and disable this code

// avoid session fixation; check IP and UA
//if (!empty($_SESSION['client']['REMOTE_ADDR']) && ($_SESSION['client']['REMOTE_ADDR'] != $_SERVER['REMOTE_ADDR'])) {
// provide new session id and leave the old one
// session_regenerate_id(false);
// wipe new session
// $_SESSION = array();
//}
jb1 replied on at Permalink Reply
jb1
Thanks for the code sample. I came across the same issue as the internet connection keeps changing IP addresses and I was banging my head against a wall. This makes much more sense now :-)