Using real client ip behind a proxy in Session driver

Hi,

I'm creating a login library to manage session on my website.
But I've seen that drivers use $_SERVER['REMOTE_ADDR'] so when running CI behind a proxy (nginx proxy_pass query to apache) the $_SERVER['REMOTE_ADDR'] is always 127.0.0.1.
So sess_match_ip doesn't work.

I've created a PR on github but narfbg say to me that it's a security flaw to trust an ip provided by client, and I understand that.

But in my case, the IP was trusted because it was added to HTTP header by nginx configuration :

Code:

proxy_set_header   X-Real-IP        $remote_addr;
proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

I think create a subdriver of Session_<driver>_driver was a good solution but apparently no...

What is running and works on my dev server :

PHP Code:

<?php

require_once BASEPATH.'/libraries/Session/drivers/Session_files_driver.php';

class Session_tuto_driver extends CI_Session_files_driver implements SessionHandlerInterface
{

    public function open($save_path, $name)
    {
        $flag = parent::open($save_path,$name);

        if($flag === true)
        {
            $CI =& get_instance();

            $this->_file_path = $this->_config['save_path'].DIRECTORY_SEPARATOR
                .$name
                .($this->_config['match_ip'] ? md5($CI->input->ip_address()) : '');
        }

        return $flag;
    }

} 


I know it's not a good solution but I want to understand and find a really good solution.


What is the best practices to use real client ip and to make working session match_ip option ?

I might be confused, as dealing with proxy's isn't something I've had a whole lot of experience with, but I believe the Input class' ip_address function will already look through proxies for you. You just have to specify a whitelist of IP addresses in `config.php`:

Code:

$config['proxy_ips'] = '';

I believe this does what you need, doesn't it?

Support Development •  CodeIgniter 4 Foundations • Practical CodeIgniter 3  • CodeIgniter Tutorials

I might be confused, as dealing with proxy's isn't something I've had a whole lot of experience with, but I believe the Input class' ip_address function will already look through proxies for you. You just have to specify a whitelist of IP addresses in `config.php`:

Code:

$config['proxy_ips'] = '';

I believe this does what you need, doesn't it?

No, it doesn't because in Session_drivers, client ip is getting by $_SERVER['REMOTE_ADDR']

PHP Code:

// libraries/Session/drivers/Session_files_driver.php L#129
$this->_file_path = $this->_config['save_path'].DIRECTORY_SEPARATOR
            .$name // we'll use the session cookie name as a prefix to avoid collisions
            .($this->_config['match_ip'] ? md5($_SERVER['REMOTE_ADDR']) : ''); 


I've already add my two proxy server ips to the config file, and my app gets the real client ip in all functions/methods/etc but only in Session driver the client ip was 127.0.0.1

Ok I've found a better solution, I think it's more a "hack" than a solution but it works.

I add this on top of my index.php

PHP Code:

$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP']; 


HTTP_X_FORWARDED_FOR cannot be trusted because it's a concatenation of ip provided by HTTP Request and the client can set the value.

Code:

curl http://example.com/ -H 'X-Forwarded-For: <a-fake-ip>'

If you check, in codeigniter, the value of $this->input->ip_address() was the fake ip and not the real client ip.

HTTP_X_REAL_IP is created by nginx configuration and if it already exists it will overwrite, so i cant trust the value no ?