Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RemoteIP check is not executed on every access #19

Open
rafacamargo123 opened this issue May 24, 2021 · 2 comments
Open

RemoteIP check is not executed on every access #19

rafacamargo123 opened this issue May 24, 2021 · 2 comments

Comments

@rafacamargo123
Copy link

When the RemoteIp changes after user has authenticated, authMemcookie does not prevent user from accessing URLs.

This behaviour seems to happen only on apache 2.4.

I've narred down the issue to the hook definition

Apparently, according to apache dev doc, this hook only executes if the configuration is different from the first access, but I couldn't make it work, even using different locations, one for authentication and another one with the "requires".
@mcarbonneaux
Copy link
Member

the module normaly check ip with the ip stored in the session only if you set Auth_memCookie_MatchIP_Mode (to >0 value), by default they don't check the ip.

i've you setted this option ?

@rafacamargo123
Copy link
Author

@mcarbonneaux thanks for checking out this issue.

Yes, I did set it:

    Auth_memCookie_MatchIP_Mode 1

And, with LogLevel debug (I've added the X-forwarded-for header at the end of the logFormat):

First access, no valid cookie set:

[Mon May 31 10:33:17 2021] [debug] [pid 110372] mod_auth_memcookie.c(574): [client 172.22.40.74:49780] Auth_memCookie: Auth_memCookie_public_authz_checker in 179.113.159.104
[Mon May 31 10:33:17 2021] [info] [pid 110372] mod_auth_memcookie.c(589): [client 172.22.40.74:49780] Auth_memCookie: cookie not found, continue ! 179.113.159.104
[Mon May 31 10:33:17 2021] [debug] [pid 110372] mod_auth_memcookie.c(443): [client 172.22.40.74:49780] Auth_memCookie: ap_hook_check_user_id in 179.113.159.104
[Mon May 31 10:33:17 2021] [debug] [pid 110372] mod_auth_memcookie.c(453): [client 172.22.40.74:49780] Auth_memCookie: check MatchIP_Mode:1 179.113.159.104
[Mon May 31 10:33:17 2021] [debug] [pid 110372] mod_auth_memcookie.c(488): [client 172.22.40.74:49780] Auth_memCookie: AuthType are 'Cookie' 179.113.159.104
[Mon May 31 10:33:17 2021] [info] [pid 110372] mod_auth_memcookie.c(503): [client 172.22.40.74:49780] Auth_memCookie: cookie not found! not authorized! RemoteIP:179.113.159.104 179.113.159.104

After authentication, with valid cookie and valid key on memcached:

[Mon May 31 10:36:05 2021] [debug] [pid 113055] mod_auth_memcookie.c(574): [client 172.22.40.74:59232] Auth_memCookie: Auth_memCookie_public_authz_checker in 179.113.159.104
[Mon May 31 10:36:05 2021] [debug] [pid 113055] mod_auth_memcookie.c(592): [client 172.22.40.74:59232] Auth_memCookie: got cookie; value is 1a280ca04d064ea901527a6ad1149f21 179.113.159.104
[Mon May 31 10:36:05 2021] [debug] [pid 113055] mod_auth_memcookie.c(207): [client 172.22.40.74:59232] Auth_memCookie: libmemcached configuration are --SERVER=xxxxx:11211 179.113.159.104
[Mon May 31 10:36:05 2021] [debug] [pid 113055] mod_auth_memcookie.c(262): [client 172.22.40.74:59232] Auth_memCookie: session information 'UserName'='captcha_1a280ca04d064ea901527a6ad1149f21' 179.113.159.104
[Mon May 31 10:36:05 2021] [debug] [pid 113055] mod_auth_memcookie.c(262): [client 172.22.40.74:59232] Auth_memCookie: session information 'RemoteIP'='179.113.159.104' 179.113.159.104
[Mon May 31 10:36:05 2021] [debug] [pid 113055] mod_auth_memcookie.c(262): [client 172.22.40.74:59232] Auth_memCookie: session information 'Expiration'='600' 179.113.159.104
[Mon May 31 10:36:05 2021] [debug] [pid 113055] mod_auth_memcookie.c(284): [client 172.22.40.74:59232] Auth_memCookie: Value for Session (key:1a280ca04d064ea901527a6ad1149f21) found => Username=captcha_1a280ca04d064ea901527a6ad1149f21 Groups=(null) RemoteIp=179.113.159.104 179.113.159.104

After change my ipaddress:

[Mon May 31 10:37:35 2021] [debug] [pid 113055] mod_auth_memcookie.c(574): [client 172.22.40.74:58910] Auth_memCookie: Auth_memCookie_public_authz_checker in 177.51.67.64
[Mon May 31 10:37:35 2021] [debug] [pid 113055] mod_auth_memcookie.c(592): [client 172.22.40.74:58910] Auth_memCookie: got cookie; value is 1a280ca04d064ea901527a6ad1149f21 177.51.67.64
[Mon May 31 10:37:35 2021] [debug] [pid 113055] mod_auth_memcookie.c(207): [client 172.22.40.74:58910] Auth_memCookie: libmemcached configuration are --SERVER=xxxx.trt15.jus.br:11211 177.51.67.64
[Mon May 31 10:37:35 2021] [debug] [pid 113055] mod_auth_memcookie.c(262): [client 172.22.40.74:58910] Auth_memCookie: session information 'UserName'='captcha_1a280ca04d064ea901527a6ad1149f21' 177.51.67.64
[Mon May 31 10:37:35 2021] [debug] [pid 113055] mod_auth_memcookie.c(262): [client 172.22.40.74:58910] Auth_memCookie: session information 'RemoteIP'='179.113.159.104' 177.51.67.64
[Mon May 31 10:37:35 2021] [debug] [pid 113055] mod_auth_memcookie.c(262): [client 172.22.40.74:58910] Auth_memCookie: session information 'Expiration'='600' 177.51.67.64
[Mon May 31 10:37:35 2021] [debug] [pid 113055] mod_auth_memcookie.c(284): [client 172.22.40.74:58910] Auth_memCookie: Value for Session (key:1a280ca04d064ea901527a6ad1149f21) found => Username=captcha_1a280ca04d064ea901527a6ad1149f21 Groups=(null) RemoteIp=179.113.159.104 177.51.67.64

Apparently, mod_auth_memcookie never made this check: https://github.com/ZenProjects/Apache-Authmemcookie-Module/blob/master/mod_auth_memcookie.c#L537

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mcarbonneaux @rafacamargo123