What is "session_check_ip"?

Please give some “explanation” of this. How it will work if it is “on” and “off”.

Thanks

1 Like

To maintain continuity of connection with the server (such as with a logged-in-user), the product uses a session between the server and the browser.

The config.inc.php setting session_check_ip determines if that connection is dependent on the IP address of the client.

If session_check_ip is ON, then only that one IP address can use the session. Say, for example, you were logged in via WiFi on your mobile device and then switched over to 4G. This would change your device’s IP address, and the session would be disconnected and you would need to login again. Some server and network configurations may make client IP changes frequent.

With session_check_ip OFF, any IP address that knows the session key can use the session. Say, for example, you were logged in without HTTPS and someone snooped on your HTTP traffic and discovered the session key. They could then use that key to effectively login as you from their own machine (with a different IP address).

Thus, a session_check_ip setting of ON improves security with respect to snooping attacks, but may cause user login trouble in some instances.

3 Likes

Thank you very much for the immediate reply. You nailed it!

God bless and more power!