Remove session_validate_ip_address option

This option basically is useless in the age of CGNAT and mobile networks.

diff --git a/com.woltlab.wcf/option.xml b/com.woltlab.wcf/option.xml
index 2e493ad36fe65a2a7bee710c12a29da7dae5707e..e6a0170bfbfff367c9a596968cc70346924d3cc4 100644 (file)
--- a/com.woltlab.wcf/option.xml
+++ b/com.woltlab.wcf/option.xml
@@ -638,11 +638,6 @@ private:wcf.acp.option.exception_privacy.private</selectoptions>
                                <minvalue>1</minvalue>
                                <suffix>seconds</suffix>
                        </option>
-                       <option name="session_validate_ip_address">
-                               <categoryname>security.general.session</categoryname>
-                               <optiontype>boolean</optiontype>
-                               <defaultvalue>0</defaultvalue>
-                       </option>
                        <option name="session_validate_user_agent">
                                <categoryname>security.general.session</categoryname>
                                <optiontype>boolean</optiontype>

diff --git a/constants.php b/constants.php
index 3c4b10db4ddf2149e1c5cc56421ce89a1d4eae6e..0ff986c30a9b66d13cfa809473b878b854e3e125 100644 (file)
--- a/constants.php
+++ b/constants.php
@@ -74,7 +74,6 @@ define('PROXY_SERVER_HTTP', '');
 define('SESSION_TIMEOUT', 1800);
 define('IP_ADDRESS_SEARCH_ENGINE', '');
 define('USER_ONLINE_TIMEOUT', 900);
-define('SESSION_VALIDATE_IP_ADDRESS', 0);
 define('SESSION_VALIDATE_USER_AGENT', 1);
 define('SESSION_ENABLE_VIRTUALIZATION', 1);
 define('ENABLE_USER_AUTHENTICATION_FAILURE', 1);

diff --git a/wcfsetup/install/files/lib/system/WCF.class.php b/wcfsetup/install/files/lib/system/WCF.class.php
index ae945e08e23d68f31f1ea98efa5e60dee44adfcb..a81604b33e1b347897ce27557a63dd6f52f48a24 100644 (file)
--- a/wcfsetup/install/files/lib/system/WCF.class.php
+++ b/wcfsetup/install/files/lib/system/WCF.class.php
@@ -388,6 +388,10 @@ class WCF {
                // https://github.com/WoltLab/WCF/issues/3339
                define('EXTERNAL_LINK_REL_NOFOLLOW', 1);
                
+               // Session validation is removed since 5.4.
+               // https://github.com/WoltLab/WCF/pull/3583
+               define('SESSION_VALIDATE_IP_ADDRESS', 0);
+               
                $filename = WCF_DIR.'options.inc.php';
                
                // create options file if doesn't exist

diff --git a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
index 8064e4c891b8768b56c57117edd66bcf0e4d4142..29d20fe502ac53fe664383b00943786c371b5992 100644 (file)
--- a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
+++ b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
@@ -496,17 +496,6 @@ class SessionHandler extends SingletonFactory {
         * @return      boolean
         */
        protected function validate() {
-               if (SESSION_VALIDATE_IP_ADDRESS) {
-                       if ($this->virtualSession instanceof ACPSessionVirtual) {
-                               if ($this->virtualSession->ipAddress != UserUtil::getIpAddress()) {
-                                       return false;
-                               }
-                       }
-                       else if ($this->session->ipAddress != UserUtil::getIpAddress()) {
-                               return false;
-                       }
-               }
-               
                if (SESSION_VALIDATE_USER_AGENT) {
                        if ($this->virtualSession instanceof ACPSessionVirtual) {
                                if ($this->virtualSession->userAgent != UserUtil::getUserAgent()) {

diff --git a/wcfsetup/install/files/options.inc.php b/wcfsetup/install/files/options.inc.php
index 30931b0d7020a3963c3a6a5cafd65648fc533342..d68ebf3c4fb6da4876301fa4c26d5091c095bc86 100644 (file)
--- a/wcfsetup/install/files/options.inc.php
+++ b/wcfsetup/install/files/options.inc.php
@@ -27,7 +27,6 @@ define('BLACKLIST_USER_AGENTS', '');
 define('BLACKLIST_HOSTNAMES', '');
 
 define('SESSION_TIMEOUT', 3600);
-define('SESSION_VALIDATE_IP_ADDRESS', 0);
 define('SESSION_VALIDATE_USER_AGENT', 0);
 
 define('CACHE_SOURCE_TYPE', 'disk');

diff --git a/wcfsetup/install/lang/de.xml b/wcfsetup/install/lang/de.xml
index 575446518a33047082585a368ed04ba7bdc91642..2db117c7b5e9784a5736565ade47dbeddcbbbecf 100644 (file)
--- a/wcfsetup/install/lang/de.xml
+++ b/wcfsetup/install/lang/de.xml
@@ -1366,8 +1366,6 @@ ACHTUNG: Die oben genannten Meldungen sind stark gekürzt. Sie können Details z
                <item name="wcf.acp.option.proxy_server_http"><![CDATA[Proxy-Server (HTTP)]]></item>
                <item name="wcf.acp.option.session_timeout"><![CDATA[Gültigkeitslänge einer Sitzung]]></item>
                <item name="wcf.acp.option.session_timeout.description"/>
-               <item name="wcf.acp.option.session_validate_ip_address"><![CDATA[IP-Adresse der Sitzung überprüfen]]></item>
-               <item name="wcf.acp.option.session_validate_ip_address.description"><![CDATA[Eine Aktivierung dieser Einstellung kann Benutzer ausschließen, die mit wechselnden IP-Adressen im Internet unterwegs sind.]]></item>
                <item name="wcf.acp.option.session_validate_user_agent"><![CDATA[Browser-Kennung der Sitzung überprüfen]]></item>
                <item name="wcf.acp.option.session_enable_virtualization"><![CDATA[Virtuelle Sessions erlauben]]></item>
                <item name="wcf.acp.option.session_enable_virtualization.description"><![CDATA[Benutzer können sich mit mehreren Endgeräten (PC, Tablet, Smartphone, etc.) gleichzeitig anmelden, alle Geräte nutzen dann die selbe Sitzung. Die Abschaltung dieser Option hat zur Folge, dass ein Benutzer nur von einem einzigen Gerät gleichzeitig angemeldet sein darf und sich unter Umständen die Geräte auf diese Weise gegenseitig abmelden. Die Deaktivierung dieser Option wird nicht empfohlen und sollte nur vorgenommen werden, wenn {if LANGUAGE_USE_INFORMAL_VARIANT}du dir{else}Sie sich{/if} der Konsequenzen bewusst {if LANGUAGE_USE_INFORMAL_VARIANT}bist{else}sind{/if}.]]></item>

diff --git a/wcfsetup/install/lang/en.xml b/wcfsetup/install/lang/en.xml
index 82346f6014f7f2996744740aa514da8f032f0feb..d6694805ffc586c7cc69a3e1741f515a15333091 100644 (file)
--- a/wcfsetup/install/lang/en.xml
+++ b/wcfsetup/install/lang/en.xml
@@ -1343,8 +1343,6 @@ ATTENTION: The messages listed above are greatly shortened. You can view details
                <item name="wcf.acp.option.proxy_server_http"><![CDATA[Proxy-Server (HTTP)]]></item>
                <item name="wcf.acp.option.session_timeout"><![CDATA[User Session Timeout]]></item>
                <item name="wcf.acp.option.session_timeout.description"><![CDATA[User sessions expire after the following seconds.]]></item>
-               <item name="wcf.acp.option.session_validate_ip_address"><![CDATA[Validate IP address]]></item>
-               <item name="wcf.acp.option.session_validate_ip_address.description"><![CDATA[Enabling this validation might cause issues for users with a rotating IP address.]]></item>
                <item name="wcf.acp.option.session_validate_user_agent"><![CDATA[Validate user-agent]]></item>
                <item name="wcf.acp.option.session_enable_virtualization"><![CDATA[Allow session sharing]]></item>
                <item name="wcf.acp.option.session_enable_virtualization.description"><![CDATA[Users can login from multiple devices (desktop, tablet, smartphone, etc.) concurrently; all devices will share the same session. Disabling this will restrict users to only one device (session) at a time, causing all the other device sessions to terminate. It is not recommended to disable this option.]]></item>