Currently Tsugi disallows LTI sessions from traversing arbitrary IP addresses; but allows sessions to move within the host space of a classic "Class C" network i.e ignoring the last 8 bits:
|
// We only check the first three octets as some systems wander through the addresses on |
|
// class C - Perhaps it is even NAT - who knows - but we forgive those on the same Class C |
|
$session_addr = self::wrapped_session_get($session_object, 'REMOTE_ADDR', null); |
|
$ipaddr = Net::getIP(); |
|
if ( (!$trusted) && $session_addr && $ipaddr && |
|
Net::isRoutable($session_addr) && Net::isRoutable($ipaddr) ) { |
|
$sess_pieces = explode('.',$session_addr); |
|
$serv_pieces = explode('.',$ipaddr); |
|
if ( count($sess_pieces) == 4 && count($serv_pieces) == 4 ) { |
|
if ( $sess_pieces[0] != $serv_pieces[0] || $sess_pieces[1] != $serv_pieces[1] || |
|
$sess_pieces[2] != $serv_pieces[2] ) { |
|
if ( strpos($iphistory, $session_addr) !== false ) { |
|
error_log("IP Address changed, session_addr=". $session_addr.' current='.$ipaddr." but trusting iphistory=".$iphistory); |
Presumably this is intended as an additional layer of protection against possible session hijacking vulnerabilities? However this is proving too restrictive for users on LTE networks where UE will move through many different public IP addresses at relatively high frequency. The exact behaviour varies between carriers, but changes generally occur whenever the modem switches cells, towers, or reconnects to the same cell. Any of which is possible without the UE necessarily physically moving.
I'm far from a network expert, but the problem seems to be that these networks use smaller prefixes than 24 bits. In my testing between IP reassigns, some carriers randomly change all the host bits, easily revealing the small prefix; on others they appear to use at least a 24bit prefix but on closer inspection the IPs are merely more adjacent, suggesting a difference in IP pool management i.e there being no guarantee the next IP wont cross the 24bit threshold, only being less likely to.
Anecdotally I'm seeing around 1.86% of all sessions being expired due to IP changes (based on usage on the order of thousands/day). From my random interrogations the majority of these appear to be due to IP changes within a network prefix smaller than 24bits rather than between different networks.
Originally I was thinking this restriction could be made configurable. But then again this issue is fairly general... students will use LTE networks to do work, on their phone, as a hotspot, or an LTE modem on a laptop/tablet etc... In which case, perhaps this restriction should be considered for removal?
Currently Tsugi disallows LTI sessions from traversing arbitrary IP addresses; but allows sessions to move within the host space of a classic "Class C" network i.e ignoring the last 8 bits:
tsugi-php/src/Core/LTIX.php
Lines 2107 to 2119 in 8b1eeda
Presumably this is intended as an additional layer of protection against possible session hijacking vulnerabilities? However this is proving too restrictive for users on LTE networks where UE will move through many different public IP addresses at relatively high frequency. The exact behaviour varies between carriers, but changes generally occur whenever the modem switches cells, towers, or reconnects to the same cell. Any of which is possible without the UE necessarily physically moving.
I'm far from a network expert, but the problem seems to be that these networks use smaller prefixes than 24 bits. In my testing between IP reassigns, some carriers randomly change all the host bits, easily revealing the small prefix; on others they appear to use at least a 24bit prefix but on closer inspection the IPs are merely more adjacent, suggesting a difference in IP pool management i.e there being no guarantee the next IP wont cross the 24bit threshold, only being less likely to.
Anecdotally I'm seeing around 1.86% of all sessions being expired due to IP changes (based on usage on the order of thousands/day). From my random interrogations the majority of these appear to be due to IP changes within a network prefix smaller than 24bits rather than between different networks.
Originally I was thinking this restriction could be made configurable. But then again this issue is fairly general... students will use LTE networks to do work, on their phone, as a hotspot, or an LTE modem on a laptop/tablet etc... In which case, perhaps this restriction should be considered for removal?