Resolution: Won't Fix
Affects Version/s: 6.2.X EE, 7.0.X EE, Master
Fix Version/s: None
Component/s: Security Vulnerability
User's IP address is always registered as IP address of web server.
Client has configured Liferay behind Apache and Load Balancers, so when a user logs in, the value of the "loginip" in the "user_" table is always the same local IP addresses of the Load Balancers.
The client would like some mechanism to track where the user login is coming from and with the way it is now it takes some work to track that down.
The client has people logging in from around the world and would like to validate that the logins are valid and not some hacking attempts. Also it would allow them to match IP address in the Apache logs to the Liferay logins.
Steps to Reproduce:
1. Configure an Apache web server vm with a Liferay bundle
2. Obtain the IP address of the server and access it from another computer.
3. Login to the server as the default user test.
4. Check the "loginIP" column in user_ table for test.
Result: Confirm that user's IP address is always registered as IP address of web server instead of the local IP address.
Results of Testing:
Expected Results: User's local IP address is logged in "loginIP" column of user_ table.
Actual Results: IP address of web server is always logged in "loginIP" column of user_ table.
Branch? Yes, reproduced in 6.2.x
Git ID: f94163053cdf82c0125b46b24c2ed22df0059134
Master? Yes, reproduced in master
Git ID: fbe35f0b2b74392f31554a8223ddf76f9d0803a4