Hi,
OTRS 6.
The documentation states that the parameter SessionCheckRemoteIP turns on the remote ip address check, but can't find a good explanation about what the remote ip address check is used for. Also I want to know what security implications arises from disabling the remote ip address check.
Thank you.
SessionCheckRemoteIP
Moderator: crythias
Re: SessionCheckRemoteIP
Hi,
I could think of faking IP addresses and taking over sessions. Usually it is not disabled.
on clusters or with dial up connections you might think of disabling it.
Flo
I could think of faking IP addresses and taking over sessions. Usually it is not disabled.
on clusters or with dial up connections you might think of disabling it.
Flo
OTRS 2025 SILVER (Prod)
OTRS 2025 auf Debian 12 (Test)
Znuny 7.x latest version testing auf Debian 12
-- Ich beantworte keine Forums-Fragen PN - No PN please
I won't answer to unfriendly users any more. A greeting and regards are just polite.
OTRS 2025 auf Debian 12 (Test)
Znuny 7.x latest version testing auf Debian 12
-- Ich beantworte keine Forums-Fragen PN - No PN please
I won't answer to unfriendly users any more. A greeting and regards are just polite.
-
- Znuny superhero
- Posts: 914
- Joined: 15 Dec 2016, 15:13
- Znuny Version: All
- Real Name: Emin
- Company: Efflux GmbH
- Contact:
Re: SessionCheckRemoteIP
Hello,
The SessionCheckRemoteIP makes sure that a session is bound to a single IP address (the IP which created the session).
Advantages: It's harder to steal a session.
That would normally require a non secure connection or access to the PC/Phone/Tablet, but I guess in that case you'd have other problems ...
Disadvantages: Your users will have a hard time if they work outside of a static IP. Some examples:
- mobile phones, which frequently change IPs or keep switching between WIFI/5G/LTE/3G
- they are working within a proxy farm
- they are using a non company VPN
- they work from home without a static IP (that normally happens at night and is only to consider if you also increased the keep-alive time of a session)
Best regards
Emin
The SessionCheckRemoteIP makes sure that a session is bound to a single IP address (the IP which created the session).
Advantages: It's harder to steal a session.
That would normally require a non secure connection or access to the PC/Phone/Tablet, but I guess in that case you'd have other problems ...
Disadvantages: Your users will have a hard time if they work outside of a static IP. Some examples:
- mobile phones, which frequently change IPs or keep switching between WIFI/5G/LTE/3G
- they are working within a proxy farm
- they are using a non company VPN
- they work from home without a static IP (that normally happens at night and is only to consider if you also increased the keep-alive time of a session)
Best regards
Emin
Professional Znuny and OTRS services: efflux.de | efflux.de/en/
Free and premium add-ons: German | English
Free and premium add-ons: German | English