Mojolicious does not set $ENV{REMOTE_ADDR} (neither $ENV{HTTP_*}) as
it may share ENV between different requests.
Fortunately for us, Plack does not!
This is a dirty patch to fix this issue but it seems that there is not
lot of solutions. It adds a remote_addr parameter to
C4::Auth::check_cookie_authin order to send it from
Koha::Rest::V1::startup reading the headers sent by Mojolicious.
Test plan:
Hit /cgi-bin/koha/mainpage.pl
Hit /api/v1/patrons/42
Hit /cgi-bin/koha/mainpage.pl
With this patch applied, everything will be fine and you won't be
logged out.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
sub check_cookie_auth {
my $cookie = shift;
my $flagsrequired = shift;
+ my $params = shift;
+ my $remote_addr = $params->{remote_addr} || $ENV{REMOTE_ADDR};
my $dbh = C4::Context->dbh;
my $timeout = _timeout_syspref();
$userid = undef;
$sessionID = undef;
return ("expired", undef);
- } elsif ( C4::Context->preference('SessionRestrictionByIP') && $ip ne $ENV{'REMOTE_ADDR'} ) {
+ } elsif ( C4::Context->preference('SessionRestrictionByIP') && $ip ne $remote_addr ) {
# IP address changed
$session->delete();
cb => sub {
my $c = shift;
- my ($status, $sessionID) = check_cookie_auth($c->cookie('CGISESSID'));
+ # ENV{REMOTE_ADDR} is not set here, we need to read the headers
+ my $remote_addr = $c->req->headers->header('x-forwarded-for');
+ my ($status, $sessionID) = check_cookie_auth($c->cookie('CGISESSID'), undef, { remote_addr => $remote_addr });
if ($status eq "ok") {
my $session = get_session($sessionID);
my $user = Koha::Patrons->find($session->param('number'));