CyberHosting

Fixing error_message": "Session reuse detected, IPAddress logged

tigertiger
in General Discussion
{"errorMessage": "Session reuse detected, IPAddress logged.", "error_message": "Session reuse detected, IPAddress logged."}

Can you point me how to fix/disable this?

My IP is dynamic, so every now and then it will be changed by my ISP. Sometimes it's minutes, and it can be hours.

Before (1.8.6 or older) this is not a problem.
Share on Facebook

Comments

  • CyberPanelCyberPanel
    Do you want to remove this limitation?
    Share on Facebook
  • brunoxkettybrunoxketty
    I have the same problem, I have to go straight, only a vps is not accessible. How to troubleshoot this issue
    Share on Facebook
  • CyberPanelCyberPanel
    edited August 30
    If your IP change frequently and you don't need this protection, you can edit this file

    https://github.com/usmannasir/cyberpanel/blob/1.8.0/CyberCP/secMiddleware.py

    Remove line 11-40.

    On server this file is available at /usr/local/CyberCP/CyberCP

    then systemctl restart lscpd
    Share on Facebook
  • brunoxkettybrunoxketty
    edited July 31
    I did the procedure, but in the browser returns error 500 (solved - it was my mistake)
    Share on Facebook
  • brunoxkettybrunoxketty
    Thanks Cyber Panel got it.
    after I started giving this problem I would switch panels, but there is no better panel with this support.
    Share on Facebook
  • linholiverlinholiver
    pls fix it
    I same err
    after remove line 11-40, i don't use cyberpanel access anybutton
    Share on Facebook
  • anhtuananhtuan
    please fix that problem, :( still can not working anymore
    Share on Facebook
  • hennaboyhennaboy
    Surely the more professional look would be to redirect to the login page rather than just showing an error message like that?

    Share on Facebook
  • anhtuananhtuan
    edited September 13
    CyberPanel said:

    If your IP change frequently and you don't need this protection, you can edit this file

    https://github.com/usmannasir/cyberpanel/blob/1.8.0/CyberCP/secMiddleware.py

    Remove line 11-40.

    On server this file is available at /usr/local/CyberCP/CyberCP

    then systemctl restart lscpd

    How can i edit that file on my server? im not know that :(
    Share on Facebook
  • anhtuananhtuan
    edited September 13
    brunoxketty said:

    I did the procedure, but in the browser returns error 500 (solved - it was my mistake)

    i got error: 500
    what's next?
    Share on Facebook
  • CyberPanelCyberPanel
    edited September 14
    @anhtuan

    It is possible that you remove some additional lines from secMiddleware.py which is why you are getting 500 error.
    Share on Facebook
  • anhtuananhtuan
    edited September 14
    CyberPanel said:

    @anhtuan

    It is possible that you remove some additional lines from settings.py which is why you are getting 500 error.

    please lest me now for fix that! which line to remove in setting.py?. so now im swicth to vpssim.
    Share on Facebook
  • CyberPanelCyberPanel
    edited September 14
    In your secMiddleware.py file remove these lines 
            try:
                uID = request.session['userID']
                ipAddr = request.META.get('REMOTE_ADDR')

                if ipAddr.find('.') > -1:
                    if request.session['ipAddr'] == ipAddr:
                        pass
                    else:
                        del request.session['userID']
                        del request.session['ipAddr']
                        logging.writeToFile(request.META.get('REMOTE_ADDR'))
                        final_dic = {'error_message': "Session reuse detected, IPAddress logged.",
                                     "errorMessage": "Session reuse detected, IPAddress logged."}
                        final_json = json.dumps(final_dic)
                        return HttpResponse(final_json)
                else:
                    ipAddr = request.META.get('REMOTE_ADDR').split(':')[:3]

                    if request.session['ipAddr'] == ipAddr:
                        pass
                    else:
                        del request.session['userID']
                        del request.session['ipAddr']
                        logging.writeToFile(request.META.get('REMOTE_ADDR'))
                        final_dic = {'error_message': "Session reuse detected, IPAddress logged.",
                                     "errorMessage": "Session reuse detected, IPAddress logged."}
                        final_json = json.dumps(final_dic)
                        return HttpResponse(final_json)
            except:
                pass
    Usually they are in line 11-40. Final code shoud look like 
    from plogical.CyberCPLogFileWriter import CyberCPLogFileWriter as logging
    import json
    from django.shortcuts import HttpResponse

    class secMiddleware:

        def __init__(self, get_response):
            self.get_response = get_response

        def __call__(self, request):
            try:
                uID = request.session['userID']
                ipAddr = request.META.get('REMOTE_ADDR')

                
            if request.method == 'POST':
                try:
                    #logging.writeToFile(request.body)
                    data = json.loads(request.body)
                    for key, value in data.iteritems():
                        if request.path.find('gitNotify') > -1:
                            break

                        # if request.path.find('users') > -1 or request.path.find('firewall') > -1 or request.path.find('servicesAction') > -1 or request.path.find('sslForHostName') > -1:
                        #     logging.writeToFile(request.body)
                        #     final_dic = {'error_message': "Data supplied is not accepted.",
                        #                  "errorMessage": "Data supplied is not accepted."}
                        #     final_json = json.dumps(final_dic)
                        #     return HttpResponse(final_json)

                        if type(value) == str or type(value) == unicode:
                            pass
                        else:
                            continue

                        if request.build_absolute_uri().find('saveSpamAssassinConfigurations') > -1 or request.build_absolute_uri().find('docker') > -1 or request.build_absolute_uri().find('cloudAPI') > -1 or request.build_absolute_uri().find('filemanager') > -1 or request.build_absolute_uri().find('verifyLogin') > -1 or request.build_absolute_uri().find('submitUserCreation') > -1:
                            continue
                        if key == 'ports' or key == 'imageByPass' or key == 'passwordByPass' or key == 'cronCommand' or key == 'emailMessage' or key == 'configData' or key == 'rewriteRules' or key == 'modSecRules' or key == 'recordContentTXT' or key == 'SecAuditLogRelevantStatus' or key == 'fileContent':
                            continue
                        if value.find(';') > -1 or value.find('&&') > -1 or value.find('|') > -1 or value.find('...') > -1 \
                                or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find(")") > -1 \
                                or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find("{") > -1 or value.find("}") > -1\
                                or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1:
                            logging.writeToFile(request.body)
                            final_dic = {'error_message': "Data supplied is not accepted.",
                                         "errorMessage": "Data supplied is not accepted."}
                            final_json = json.dumps(final_dic)
                            return HttpResponse(final_json)
                        if key.find(';') > -1 or key.find('&&') > -1 or key.find('|') > -1 or key.find('...') > -1 \
                                or key.find("`") > -1 or key.find("$") > -1 or key.find("(") > -1 or key.find(")") > -1 \
                                or key.find("'") > -1 or key.find("[") > -1 or key.find("]") > -1 or key.find("{") > -1 or key.find("}") > -1\
                                or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1:
                            logging.writeToFile(request.body)
                            final_dic = {'error_message': "Data supplied is not accepted.", "errorMessage": "Data supplied is not accepted."}
                            final_json = json.dumps(final_dic)
                            return HttpResponse(final_json)
                except BaseException, msg:
                    logging.writeToFile(str(msg))
                    response = self.get_response(request)
                    return response
            response = self.get_response(request)
            return response

    and this file is available at /usr/local/CyberCP/CyberCP
    Share on Facebook
  • anhtuananhtuan
    @CyberPanel : line 11 is: try
    and line 40 is: pass
    https://43.224.33.39:8090/websites/
    Error 500 here
    Share on Facebook
  • CyberPanelCyberPanel
    Create ticket and mention ticket number here.
    Share on Facebook
  • anhtuananhtuan
    CyberPanel said:

    Create ticket and mention ticket number here.

    Ticket #5FJ7PV thanks
    Share on Facebook
  • w3servicesw3services
    Hi 500 server error start.

    Please confirm if 2 lines required or not. As your above not clear..


    try:
    uID = request.session['userID']
    ipAddr = request.META.get('REMOTE_ADDR')
    Share on Facebook
  • w3servicesw3services
    The final code should look like ??

    Why again in these 3 lines?

    try:
    uID = request.session['userID']
    ipAddr = request.META.get('REMOTE_ADDR')



    Its showing 500 server error. Please help.
    Share on Facebook
  • whattheserverwhattheserver
    Backup current config
    mv /usr/local/CyberCP/secMiddleware.py /usr/local/CyberCP/secMiddleware.py-bak

    Download new version.
    wget -O /usr/local/CyberCP/secMiddleware.py https://github.com/usmannasir/cyberpanel/raw/stable/CyberCP/secMiddleware.py

    then download run the upgrade/update cache clearing script

    wget -O /usr/local/CyberCP/upgrade.sh https://github.com/usmannasir/cyberpanel/raw/stable/upgrade.sh
    chmod +x /usr/local/CyberCP/upgrade.sh

    Then run this and give it a few minutes to clear cache and restart cyberpanel daemon
    bash /usr/local/CyberCP/upgrade.sh

    This should bring it back to stock.

    The file has probably changed some since the original post was made.

    Looks like relevant lines are 12-41 that need removed or commented out.
    https://github.com/usmannasir/cyberpanel/blob/ecffcd59412fa0d94b1574df0c02b3027b0aebe9/CyberCP/secMiddleware.py#L12-L41

    If you want to easily remove the lines via commenting them out(make them inactive)

    this can be done via sed command below.
    sed -i '12,41 s/^/#/' /usr/local/CyberCP/CyberCP/secMiddleware.py

    You can then confirm it via checking the lines right before and after.
    sed -n '10,42p' /usr/local/CyberCP/CyberCP/secMiddleware.py




    Before:
    [email protected]:~# sed -n '10,42p' /usr/local/CyberCP/CyberCP/secMiddleware.py

    def __call__(self, request):
    try:
    uID = request.session['userID']
    ipAddr = request.META.get('REMOTE_ADDR')

    if ipAddr.find('.') > -1:
    if request.session['ipAddr'] == ipAddr:
    pass
    else:
    del request.session['userID']
    del request.session['ipAddr']
    logging.writeToFile(request.META.get('REMOTE_ADDR'))
    final_dic = {'error_message': "Session reuse detected, IPAddress logged.",
    "errorMessage": "Session reuse detected, IPAddress logged."}
    final_json = json.dumps(final_dic)
    return HttpResponse(final_json)
    else:
    ipAddr = request.META.get('REMOTE_ADDR').split(':')[:3]

    if request.session['ipAddr'] == ipAddr:
    pass
    else:
    del request.session['userID']
    del request.session['ipAddr']
    logging.writeToFile(request.META.get('REMOTE_ADDR'))
    final_dic = {'error_message': "Session reuse detected, IPAddress logged.",
    "errorMessage": "Session reuse detected, IPAddress logged."}
    final_json = json.dumps(final_dic)
    return HttpResponse(final_json)
    except:
    pass
    if request.method == 'POST':
    [email protected]:~#

    After:
    [email protected]:~# sed -i '12,41 s/^/#/' /usr/local/CyberCP/CyberCP/secMiddleware.py
    [email protected]:~# sed -n '10,42p' /usr/local/CyberCP/CyberCP/secMiddleware.py

    def __call__(self, request):
    # try:
    # uID = request.session['userID']
    # ipAddr = request.META.get('REMOTE_ADDR')
    #
    # if ipAddr.find('.') > -1:
    # if request.session['ipAddr'] == ipAddr:
    # pass
    # else:
    # del request.session['userID']
    # del request.session['ipAddr']
    # logging.writeToFile(request.META.get('REMOTE_ADDR'))
    # final_dic = {'error_message': "Session reuse detected, IPAddress logged.",
    # "errorMessage": "Session reuse detected, IPAddress logged."}
    # final_json = json.dumps(final_dic)
    # return HttpResponse(final_json)
    # else:
    # ipAddr = request.META.get('REMOTE_ADDR').split(':')[:3]
    #
    # if request.session['ipAddr'] == ipAddr:
    # pass
    # else:
    # del request.session['userID']
    # del request.session['ipAddr']
    # logging.writeToFile(request.META.get('REMOTE_ADDR'))
    # final_dic = {'error_message': "Session reuse detected, IPAddress logged.",
    # "errorMessage": "Session reuse detected, IPAddress logged."}
    # final_json = json.dumps(final_dic)
    # return HttpResponse(final_json)
    # except:
    # pass
    if request.method == 'POST':
    [email protected]:~#

    [email protected]:~# systemctl restart lscpd
    [email protected]:~#
    Share on Facebook
  • whattheserverwhattheserver
    Actually, I coded an option you can enable or disable this within that file.
    https://github.com/usmannasir/cyberpanel/commit/c335952b2a350690c79082e8ffb45cfebd2c039c

    I do not have a dynamic session that changes to verify it that works, but the file works on my test server and has an if condition to only run if 'true' so in theory should work for you to toggle it off by setting value to 'false' without having to comment or delete lines in the core file which bound to be error-prone.

    Download the file with option to toggle.
    wget -O /usr/local/CyberCP/secMiddleware.py https://github.com/usmannasir/cyberpanel/raw/c335952b2a350690c79082e8ffb45cfebd2c039c/CyberCP/secMiddleware.py


    Default: On 'true'

    To set to On 'true'
    sed -i "s/^sessionIPValidation =.*/sessionIPValidation = 'true'/g" /usr/local/CyberCP/CyberCP/secMiddleware.py

    To set to Off: 'false'
    sed -i "s/^sessionIPValidation =.*/sessionIPValidation = 'false'/g" /usr/local/CyberCP/CyberCP/secMiddleware.py

    To check status:
    grep -E '^sessionIPValidation' /usr/local/CyberCP/CyberCP/secMiddleware.py

    Example of this toggled to On(true): Default
    [email protected]:~# grep -E '^sessionIPValidation' /usr/local/CyberCP/CyberCP/secMiddleware.py
    sessionIPValidation = 'true'
    [email protected]:~#


    Example of this toggled to Off(false):
    [email protected]:~# grep -E '^sessionIPValidation' /usr/local/CyberCP/CyberCP/secMiddleware.py
    sessionIPValidation = 'false'
    [email protected]:~#

    After toggling:
    systemctl restart lscpd||service lscpd restart

    Test

    If it works ill submit a pull request to have it merged to the stable branch.
    Share on Facebook
Sign In or Register to comment.
CyberPanel Discord

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links

Categories

In this Discussion