Welcome Guest, Not a member yet? Register   Sign In
CI 3 Session - sess_match_ip only for REMOTE_ADDR?
#1

Hello everyone,
just a question to understand why in the session_drivers, when the config var 'sess_check_ip' is set to TRUE, 
PHP Code:
//config.php
$config['sess_match_ip'] = TRUE

is considered only the $_SERVER['REMOTE_ADDR'] 

PHP Code:
// Session_files_driver.php
$this->_file_path $this->_config['save_path'].DIRECTORY_SEPARATOR
            
.$name // we'll use the session cookie name as a prefix to avoid collisions
            
.($this->_config['match_ip'] ? md5($_SERVER['REMOTE_ADDR']) : ''); 


and not the other headers like 'HTTP_X_FORWARDED_FOR' (maybe calling the input->ip_address() funcion).

This can cause issues when on server with a loadbalancer that can serve the site from different ip addresses.

Thank you
Reply
#2

(09-12-2016, 12:37 PM)michelecom Wrote: Hello everyone,
just a question to understand why in the session_drivers, when the config var 'sess_check_ip' is set to TRUE, 
PHP Code:
//config.php
$config['sess_match_ip'] = TRUE

is considered only the $_SERVER['REMOTE_ADDR'] 

PHP Code:
// Session_files_driver.php
$this->_file_path $this->_config['save_path'].DIRECTORY_SEPARATOR
            
.$name // we'll use the session cookie name as a prefix to avoid collisions
            
.($this->_config['match_ip'] ? md5($_SERVER['REMOTE_ADDR']) : ''); 


and not the other headers like 'HTTP_X_FORWARDED_FOR' (maybe calling the input->ip_address() funcion).

This can cause issues when on server with a loadbalancer that can serve the site from different ip addresses.

Thank you

This is by design and won't change.

(09-12-2016, 03:58 PM)arma7x Wrote: To match client ip with their current session. If you deploy on server with a load balancer please consider use database,redis or memcache as session driver

This is completely irrelevant.
Reply
#3

(09-13-2016, 12:40 AM)Narf Wrote:
(09-12-2016, 12:37 PM)michelecom Wrote: Hello everyone,
just a question to understand why in the session_drivers, when the config var 'sess_check_ip' is set to TRUE, 
PHP Code:
//config.php
$config['sess_match_ip'] = TRUE

is considered only the $_SERVER['REMOTE_ADDR'] 

PHP Code:
// Session_files_driver.php
$this->_file_path $this->_config['save_path'].DIRECTORY_SEPARATOR
            
.$name // we'll use the session cookie name as a prefix to avoid collisions
            
.($this->_config['match_ip'] ? md5($_SERVER['REMOTE_ADDR']) : ''); 


and not the other headers like 'HTTP_X_FORWARDED_FOR' (maybe calling the input->ip_address() funcion).

This can cause issues when on server with a loadbalancer that can serve the site from different ip addresses.

Thank you

This is by design and won't change.

Thank you for your reply Narf,
I understand that it's by design, I was just wondering why it has been implemented like this. 
Do you agree that this behaviour can cause issues when using a loadbalancer? Do you have any advice for that, different from hacking (or using a custom driver) using the input->ip_address() function instead of just using the REMOTE_ADDR?

Thank you for your time
Reply
#4

(09-13-2016, 12:40 AM)Narf Wrote:
(09-12-2016, 12:37 PM)michelecom Wrote: Hello everyone,
just a question to understand why in the session_drivers, when the config var 'sess_check_ip' is set to TRUE, 
PHP Code:
//config.php
$config['sess_match_ip'] = TRUE

is considered only the $_SERVER['REMOTE_ADDR'] 

PHP Code:
// Session_files_driver.php
$this->_file_path $this->_config['save_path'].DIRECTORY_SEPARATOR
            
.$name // we'll use the session cookie name as a prefix to avoid collisions
            
.($this->_config['match_ip'] ? md5($_SERVER['REMOTE_ADDR']) : ''); 


and not the other headers like 'HTTP_X_FORWARDED_FOR' (maybe calling the input->ip_address() funcion).

This can cause issues when on server with a loadbalancer that can serve the site from different ip addresses.

Thank you

This is by design and won't change.

(09-12-2016, 03:58 PM)arma7x Wrote: To match client ip with their current session. If you deploy on server with a load balancer please consider use database,redis or memcache as session driver

This is completely irrelevant.
I know it is completely irrelevant, that why im remove my unrelated comment, I thought OP was having problem with sticky session.
Keep calm.
Reply
#5

(09-13-2016, 09:51 AM)michelecom Wrote: I understand that it's by design, I was just wondering why it has been implemented like this. 

It's a long topic; in one word: security.

(09-13-2016, 09:51 AM)michelecom Wrote: Do you agree that this behaviour can cause issues when using a loadbalancer?

I've found out that "issue", "problem" and even "bug" are words that people in our community increasingly use to describe something that simply don't go their way ...

If you start with the precondition that you have to have IP restrictions, then in that scenario you'll have to do some extra work.

Is that extra work an "issue"?
Or is it that you don't know how to work around it the "issue"?
Maybe it's your (likely arbitrary) precondition that's the real "issue"?

(09-13-2016, 09:51 AM)michelecom Wrote: Do you have any advice for that, different from hacking (or using a custom driver) using the input->ip_address() function instead of just using the REMOTE_ADDR?

Yes I do, but you won't like it: don't use the feature. There are numerous reasons for that, and by "reasons" I mean possible causes for the client's IP address changing mid-session.

- I've seen ISPs change users' addresses literally every time they reboot their ADSL router.
- Mobile operators almost all put you behind a NAT and then route you through different endpoints based on countless conditions.
- You could switch from mobile to wifi.
- Opera used to (and maybe still does) put a proxy between you and the outside world, because proxies can cache resources and thus speed up your page loading times.
- Apple (if I'm not mistaken) tried something similar a couple of years ago with some of their services.

The list goes on, and that's why PHP itself doesn't have this option in its session extension - I know, because I tried to push it in there. It's mostly useful in intranet environments, where don't have a reason to sit behind load-balancers in the first place.

Of course, as I said above - you can work around it and it requires some extra work (which can amount to just a single line of code in the right place), but I don't share such "tricks" publicly, as I believe that if you don't know how to do it on your own, you're not informed enough to make the decision for it in the first place.

Sorry.
Reply
#6

(09-14-2016, 01:58 AM)Narf Wrote:
(09-13-2016, 09:51 AM)michelecom Wrote: I understand that it's by design, I was just wondering why it has been implemented like this. 

It's a long topic; in one word: security.

(09-13-2016, 09:51 AM)michelecom Wrote: Do you agree that this behaviour can cause issues when using a loadbalancer?

I've found out that "issue", "problem" and even "bug" are words that people in our community increasingly use to describe something that simply don't go their way ...

If you start with the precondition that you have to have IP restrictions, then in that scenario you'll have to do some extra work.

Is that extra work an "issue"?
Or is it that you don't know how to work around it the "issue"?
Maybe it's your (likely arbitrary) precondition that's the real "issue"?

(09-13-2016, 09:51 AM)michelecom Wrote: Do you have any advice for that, different from hacking (or using a custom driver) using the input->ip_address() function instead of just using the REMOTE_ADDR?

Yes I do, but you won't like it: don't use the feature. There are numerous reasons for that, and by "reasons" I mean possible causes for the client's IP address changing mid-session.

- I've seen ISPs change users' addresses literally every time they reboot their ADSL router.
- Mobile operators almost all put you behind a NAT and then route you through different endpoints based on countless conditions.
- You could switch from mobile to wifi.
- Opera used to (and maybe still does) put a proxy between you and the outside world, because proxies can cache resources and thus speed up your page loading times.
- Apple (if I'm not mistaken) tried something similar a couple of years ago with some of their services.

The list goes on, and that's why PHP itself doesn't have this option in its session extension - I know, because I tried to push it in there. It's mostly useful in intranet environments, where don't have a reason to sit behind load-balancers in the first place.

Of course, as I said above - you can work around it and it requires some extra work (which can amount to just a single line of code in the right place), but I don't share such "tricks" publicly, as I believe that if you don't know how to do it on your own, you're not informed enough to make the decision for it in the first place.

Sorry.

Ok, thank you Narf. That was the answer I was looking for.
I understand your point when saying that the real "issue" is the precondition and I agree with your explanation, solely this wasn't the behaviour I expected.
May I suggest to write something about it in the CI doc when talking about sess_match_ip? Just to avoid to have it set to true (maybe from CI 2 and set by another developer) and wonder why sometimes your session drops.
Reply
#7

It is Off by default and the documentation does explain its effects in detail ... I don't really see what else needs to be added.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB