From 8bd469ba5dcacc2683e74c578978f90fc6a440d8 Mon Sep 17 00:00:00 2001
From: Sebastian Grewe <sebastian@grewe.ca>
Date: Wed, 19 Feb 2014 14:32:20 +0100
Subject: [PATCH 1/2] [CHANGED] Parse X-FORWARDED-FOR when supplied

Instead of trusting REMOTE_ADDR we should parse X-FORWARDED-FOR if
supplied. This will properly use the user IP in a multi-LB setup.

Needs testing
---
 public/include/classes/user.class.php | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/public/include/classes/user.class.php b/public/include/classes/user.class.php
index 0e02fd0f..afa277a6 100644
--- a/public/include/classes/user.class.php
+++ b/public/include/classes/user.class.php
@@ -148,7 +148,7 @@ class User extends Base {
       $lastLoginTime = $this->getLastLogin($uid);
       $this->updateLoginTimestamp($uid);
       $getIPAddress = $this->getUserIp($uid);
-      if ($getIPAddress !== $_SERVER['REMOTE_ADDR']) {
+      if ($getIPAddress !== $this->getCurrentIP()) {
         $this->log->log("warn", "$username has logged in with a different IP, saved is [$getIPAddress]");
       }
       $setIPAddress = $this->setUserIp($uid, $_SERVER['REMOTE_ADDR']);
@@ -883,7 +883,7 @@ public function isAuthenticated($logout=true) {
    * @param checkforwarded bool check HTTP_X_FORWARDED_FOR for a valid ip first
    * @return string IP address
    */
-  public function getCurrentIP($trustremote=true, $checkclient=false, $checkforwarded=false) {
+  public function getCurrentIP($trustremote=false, $checkclient=false, $checkforwarded=true) {
     $client = (isset($_SERVER['HTTP_CLIENT_IP'])) ? $_SERVER['HTTP_CLIENT_IP'] : false;
     $fwd = (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : false;
     $remote = (isset($_SERVER['REMOTE_ADDR'])) ? $_SERVER['REMOTE_ADDR'] : @$_SERVER['REMOTE_ADDR'];
@@ -893,13 +893,7 @@ public function isAuthenticated($logout=true) {
     } else if (strpos($fwd, ',') !== false && !$trustremote && $checkforwarded) {
       // multiple proxies
       $ips = explode(',', $fwd);
-      $path = array();
-      foreach ($ips as $ip) {
-        if (filter_var($ip, FILTER_VALIDATE_IP)) {
-          $path[] = $ip;
-        }
-      }
-      return array_pop($path);
+      return $ips[0];
     } else if (filter_var($fwd, FILTER_VALIDATE_IP) && !$trustremote && $checkforwarded) {
       // single
       return $fwd;

From 28d114b099051e21af5e389cad3a7223c6075c95 Mon Sep 17 00:00:00 2001
From: Sebastian Grewe <sebastian@grewe.ca>
Date: Thu, 20 Feb 2014 08:26:58 +0100
Subject: [PATCH 2/2] [ADDED] Use getCurrentIP on IP check

---
 public/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/index.php b/public/index.php
index 2f7cd01e..8f312174 100644
--- a/public/index.php
+++ b/public/index.php
@@ -99,7 +99,7 @@ if (count(@$_SESSION['last_ip_pop']) == 2) {
   $ip = filter_var($data[0], FILTER_VALIDATE_IP);
   $time = date("l, F jS \a\\t g:i a", $data[1]);
   $closelink = "<a href='index.php?page=dashboard&clp=1' style='float:right;padding-right:14px;'>Close</a>";
-  if (@$_SESSION['AUTHENTICATED'] && $_SESSION['last_ip_pop'][0] !== $_SERVER['REMOTE_ADDR']) {
+  if (@$_SESSION['AUTHENTICATED'] && $_SESSION['last_ip_pop'][0] !== $user->getCurrentIP()) {
     $_SESSION['POPUP'][] = array('CONTENT' => "You last logged in from <b>$ip</b> on $time $closelink", 'TYPE' => 'warning');
   } else {
     $_SESSION['POPUP'][] = array('CONTENT' => "You last logged in from <b>$ip</b> on $time $closelink", 'TYPE' => 'info');