XF 2.1 Admin IP

[John8777]

I was just wondering if there was any way to disable this security feature that seems to tie each admin panel login to the IP itself? Those of us managing the forum through a dynamic VPN or privacy network like Tor have to continuously re-login.

 

[Ozzy47]

There is no core feature that ties an admin login to a IP. You either have a addon or .htaccess involved.

 

[John8777]

There is no core feature that ties an admin login to a IP. You either have a addon or .htaccess involved.

I should've probably tried to explain it a bit better.

Unlike the forum login itself, admin panel has another layer of protection added and it requires the IP not to change during the login process, and if it does -- it sends you back to the login form.

So if the IP changes mid-request, it won't log you in. This was added in XF2, btw.

 

[Jeremy P]

Sessions are tied to IPs, especially if they're not persistent (ie 'Remember me'). Admin sessions are never persistent, so you're more likely to run into this there. It looks like you could modify this behavior in an add-on by overriding the CIDR matching configuration when instantiating the session, but I'm not 100% sure of the security implications there.

 

[Ozzy47]

Okay, then in that case you can actually change that by editing your src/config.php file and extending the session container:

$c->extend('session', function(\XF\Session\Session $session)
{
   $session->setConfig([
        'ipv4CidrMatch' => 0,
        'ipv6CidrMatch' => 0
    ]);
   return $session;
});

 

[John8777]

Okay, then in that case you can actually change that by editing your src/config.php file and extending the session container:

$c->extend('session', function(\XF\Session\Session $session)
{
   $session->setConfig([
        'ipv4CidrMatch' => 0,
        'ipv6CidrMatch' => 0
    ]);
   return $session;
});

Thanks Ozzy, I just tested it out via Tor and it seems to have worked. Much appreciated!

I do understand that many people don't need this, so I appreciate the help.

 

[Ozzy47]

Yeah it's something that really is not recommended to be used in a live server as the CIDR check is a security measure in case a session_id is somehow stolen.