########################################################################################## VEH-10: Check Framework's IP source ########################################################################################## Issue Type: Task ----------------------------------------------------------------------------------------- Issue Information ==================== Priority: Major Status: Closed Resolution: Fixed (2013-11-10 01:36:40) Project: VehMan (VEH) Reported By: btasker Assigned To: btasker Targeted for fix in version: - 1.0.1 Labels: Sessions, Time Estimate: 0 minutes Time Logged: 0 minutes ----------------------------------------------------------------------------------------- Issue Description ================== Check that BTFramework honours X-Forwarded-For in function getIP otherwise users behind the same proxy will be able to use each other's tokens ----------------------------------------------------------------------------------------- Activity ========== ----------------------------------------------------------------------------------------- 2013-10-18 06:39:41 btasker ----------------------------------------------------------------------------------------- method getip has been adjusted, but changes haven't yet been tested ----------------------------------------------------------------------------------------- 2013-10-18 06:39:45 ----------------------------------------------------------------------------------------- btasker changed status from 'Open' to 'In Progress' ----------------------------------------------------------------------------------------- 2013-11-10 01:33:21 btasker ----------------------------------------------------------------------------------------- Added IP check to test submodule. Unfortunately it's returning the IP of the proxy, so need to identify why. -- BEGIN QUOTE -- \{"timestamp":1384047032,"response":"127.0.0.1","errors":null,"error":0\} -- END QUOTE -- Headers are -- BEGIN QUOTE -- \{"timestamp":1384047145,"response"\:{"X-Real-IP":"81.134.152.4","X-Forwarded-For":"81.134.152.4","Host":"api.vehiclefueltracker.co.uk","Connection":"close","Accept":"text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8","User-Agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/28.0.1500.71 Chrome\/28.0.1500.71 Safari\/537.36","Accept-Encoding":"gzip,deflate,sdch","Accept-Language":"en-GB,en-US;q=0.8,en;q=0.6","Cookie":"__utma=121090191.1565016685.1381890140.1382075380.1383390128.7; __utmz=121090191.1381890140.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)"\},"errors":null,"error":0\} -- END QUOTE -- Don't want to rely on the X-Real-IP as that's something NGinx has been configured to send. ----------------------------------------------------------------------------------------- 2013-11-10 01:36:27 btasker ----------------------------------------------------------------------------------------- The keyname used with $_SERVER wasn't prefixed by HTTP_. Commit a4e2475 resolves. ----------------------------------------------------------------------------------------- 2013-11-10 01:36:40 ----------------------------------------------------------------------------------------- btasker changed status from 'In Progress' to 'Resolved' ----------------------------------------------------------------------------------------- 2013-11-10 01:36:40 ----------------------------------------------------------------------------------------- btasker added 'Fixed' to resolution ----------------------------------------------------------------------------------------- 2013-11-10 01:36:46 ----------------------------------------------------------------------------------------- btasker changed status from 'Resolved' to 'Closed'