View Issue Details

IDProjectCategoryView StatusLast Update
0029336mantisbtbugtrackerpublic2023-02-15 03:51
Reporterdevnull Assigned To 
Status acknowledgedResolutionopen 
Platformamd64OSFreeBSDOS Version13
Product Version2.25.2 
Summary0029336: session died due to Cloudflare proxy


I use CloudFlare proxy in DNS to access my website to prevent DDOS and other attacks.
Cloudflare act as a reverse proxy between the website visitor and the server.
The IP address that server receive isn't Client IP address, but Cloudflare IP address.
So, the IP address can change in the same session, Cloudflare uses many IP address randomly.

As you can see error.log in Apache, in same session, IP address changed from to

[Fri Dec 03 15:02:29] [client] AH01071: Got error 'PHP message: PHP Warning: 2702 in /usr/local/www/apache24/data/ on line 218', referer:

[Fri Dec 03 15:03:11] [client] AH01071: Got error 'PHP message: PHP Warning: 2702 in /usr/local/www/apache24/data/ on line 218', referer:

To solve the problem, I temporary remove if( $t_user_ip != $t_last_ip ) {...} block in bugtracker/core/session_api.php.

So, it is possible to obtain the real Client IP address (CF-CONNECTING-IP) to work properly?
Or do you have any other solution for that?

TagsNo tags attached.


related to 0012771 new Users behind proxy will get 'ERROR_SESSION_NOT_VALID' if secure_session is checked durring login 
related to 0013035 acknowledged Secure Session Support for Platforms masking client source address but injecting HTTP headers 
related to 0032022 closeddregad Image upload issue 




2021-12-03 12:21

developer   ~0066062

You could deactivate session validation by adding the following lines to config_inc.php

$g_session_validation = OFF;



2021-12-03 12:53

reporter   ~0066063

Last edited: 2021-12-03 15:23

Thanks, astrol.
It solves the problem too, although security risks envolved.

In future versions, if possible evaluate use "x-forwarded-for" to identify real IP address connected throw http proxy, it really welcome.
Thus, we can keep session validation ON.

Thanks again for your assistance!



2021-12-04 13:59

developer   ~0066064

use "x-forwarded-for" to identify real IP address

In case someone should start working on this, some more information that should be considered



2023-02-15 03:42

developer   ~0067391

The problem with using on X-Forwarded-For header, is that it can easily be spoofed so it is not a reliable source of information in the context of session validation.