fatvegan

ExpressionEngine has a pretty brittle session mechanism. It has all sorts of devices for making it more secure and harder to spoof. But it causes issues with quite a few of our clients. Today we found a weird problem with what turned out to be a proxy-related issue. Some requests would be be sent through the proxy and some weren't, so the IP address would change. Strangely, no one was ever logged out but some requests would fail (and be redirected back to the login screen with no message).

In system/expressionengine/libraries/Session.php ExpressionEngine includes a check for the IP address when it gets the session data. Commenting out the line for the IP address and turning off IP address checks in the configuration seems to have fixed it for me.

public function fetch_session_data()
{
    // Look for session.  Match the user's IP address and browser for added security.
    $this->EE->db->select('member_id, admin_sess, last_activity')
        ->where('session_id', (string) $this->sdata['session_id'])
        //->where('ip_address', $this->sdata['ip_address'])
        ->where('user_agent', $this->sdata['user_agent']);
...

I've been using RevealCloud for about four months and it's pretty sweet. I've been through a few server monitoring tools over the last 10 years and all of them tell me there's a problem with the site when it's too late to actually fix it with SSH. Mostly it's because I've let the disk fill up or there's a memory leak in Apache (or more often silly old lighttpd), so it's good to know about stuff starting to break. Which is just what RevealCloud does. It runs a little process and monitors stuff, sends it to their server (so you get nice graphs of that stuff) and sends you an email when certain things are outside boundaries you set up. It works extremely well. And so far I've had no false alarms, which is so terribly wonderful.

I've started turning off my other monitoring software (especially Monitis, which I was actually paying for).