Summary:
Using IP address in password hash causes login failiures
Detailed Description:
I've raised this over in the forum as well, but we've had a couple of users now
who keep getting logged out of the admin area.
https://forum.cmsmadesimple.org/viewtopic.php?f=8&t=77949
Looking in the admin log I can see that each time the user logs in again they're
coming from a slightly different IP address:
94.119.64.2 Susannah Logged In 14 Feb. 2018 12:41:27
94.119.64.7 Susannah Logged In 14 Feb. 2018 12:41:22
94.119.64.10 Susannah Logged In 14 Feb. 2018 12:41:16
We've had this with one user on BT Cloud WiFi which is a large public wifi
network and one user on an institutional school wifi network.
You can repeat the issue by logging into the admin area of an install and then
using a VPN connection to switch servers. It logs you out.
The IP address in the admin log is pulled from get_real_ip() which is also used
as part of the creation of the password hash.
If I remove get_real_ip from the hash creation / checking routines in
_check_passhash() , save_authentication() and _get_data() then I can log in as
usual but not get kicked out when swapping servers.
eg.
$tmp = [
md5(__FILE__),\cms_utils::get_real_ip(),$_SERVER['HTTP_USER_AGENT'].CMS_VERSION
];
$salt = sha1(serialize($tmp));
to
$tmp = [ md5(__FILE__),$_SERVER['HTTP_USER_AGENT'].CMS_VERSION ];
$salt = sha1(serialize($tmp));
I can see why adding an IP address to the hash would be attractive but I can
also see how users might switch IP addresses so I don't think we can rely on it
as part of the password hash.
Let me know if you need any more info. And thanks as always for all your
work....
cheers.
s.