[Mapbender-dev] mb_user_ip vs. remode_addr

NAGY, Tamas contact at wezo.org
Sat Jan 31 15:20:29 EST 2009

Hi folks!

A couple of days ago, I came across an interesting phenomenon and i  
would like to report it now:

If visitors come through multiple web-proxies (the requests are made  
once via proxy-a, once over proxy-b) and want to reach a mapbender GUI
it is not guaranteed that $_SESSION['mb_user_ip'] will be always equal  
to $_SERVER['REMOTE_ADDR']. Therefore, because in the  
mb_validateSession.php there is a check against these variables  
whether they are equal or not, sometimes it can happen that the login  
form appears for these users.
In bigger companies where there are more proxy servers it can happen  
that once a web-request is made over proxy-a and once over proxy-b.

Best regards,

More information about the Mapbender_dev mailing list