Fixing error_message": "Session reuse detected, IPAddress logged

tiger · July 2019

{"errorMessage": "Session reuse detected, IPAddress logged.", "error_message": "Session reuse detected, IPAddress logged."}

Can you point me how to fix/disable this?

My IP is dynamic, so every now and then it will be changed by my ISP. Sometimes it's minutes, and it can be hours.

Before (1.8.6 or older) this is not a problem.

CyberPanel · July 2019

Do you want to remove this limitation?

brunoxketty · July 2019

I have the same problem, I have to go straight, only a vps is not accessible. How to troubleshoot this issue

CyberPanel · July 2019

If your IP change frequently and you don't need this protection, you can edit this file

https://github.com/usmannasir/cyberpanel/blob/1.8.0/CyberCP/secMiddleware.py

Remove line 11-40.

On server this file is available at /usr/local/CyberCP/CyberCP

then systemctl restart lscpd

brunoxketty · July 2019

I did the procedure, but in the browser returns error 500 (solved - it was my mistake)

brunoxketty · July 2019

Thanks Cyber Panel got it.
after I started giving this problem I would switch panels, but there is no better panel with this support.

linholiver · August 2019

pls fix it
I same err
after remove line 11-40, i don't use cyberpanel access anybutton

anhtuan · August 2019

please fix that problem,

still can not working anymore

anhtuan · September 2019

CyberPanel said:
If your IP change frequently and you don't need this protection, you can edit this file

https://github.com/usmannasir/cyberpanel/blob/1.8.0/CyberCP/secMiddleware.py

Remove line 11-40.

On server this file is available at /usr/local/CyberCP/CyberCP

then systemctl restart lscpd

How can i edit that file on my server? im not know that

anhtuan · September 2019

brunoxketty said:
I did the procedure, but in the browser returns error 500 (solved - it was my mistake)

i got error: 500
what's next?

CyberPanel · September 2019

@anhtuan

It is possible that you remove some additional lines from secMiddleware.py which is why you are getting 500 error.

anhtuan · September 2019

CyberPanel said:
@anhtuan

It is possible that you remove some additional lines from settings.py which is why you are getting 500 error.

please lest me now for fix that! which line to remove in setting.py?. so now im swicth to vpssim.

CyberPanel · September 2019

In your secMiddleware.py file remove these lines

        try:
            uID = request.session['userID']
            ipAddr = request.META.get('REMOTE_ADDR')

            if ipAddr.find('.') > -1:
                if request.session['ipAddr'] == ipAddr:
                    pass
                else:
                    del request.session['userID']
                    del request.session['ipAddr']
                    logging.writeToFile(request.META.get('REMOTE_ADDR'))
                    final_dic = {'error_message': "Session reuse detected, IPAddress logged.",
                                 "errorMessage": "Session reuse detected, IPAddress logged."}
                    final_json = json.dumps(final_dic)
                    return HttpResponse(final_json)
            else:
                ipAddr = request.META.get('REMOTE_ADDR').split(':')[:3]

                if request.session['ipAddr'] == ipAddr:
                    pass
                else:
                    del request.session['userID']
                    del request.session['ipAddr']
                    logging.writeToFile(request.META.get('REMOTE_ADDR'))
                    final_dic = {'error_message': "Session reuse detected, IPAddress logged.",
                                 "errorMessage": "Session reuse detected, IPAddress logged."}
                    final_json = json.dumps(final_dic)
                    return HttpResponse(final_json)
        except:
            pass

Usually they are in line 11-40. Final code shoud look like

from plogical.CyberCPLogFileWriter import CyberCPLogFileWriter as logging
import json
from django.shortcuts import HttpResponse

class secMiddleware:

    def __init__(self, get_response):
        self.get_response = get_response

    def __call__(self, request):
        try:
            uID = request.session['userID']
            ipAddr = request.META.get('REMOTE_ADDR')

            
        if request.method == 'POST':
            try:
                #logging.writeToFile(request.body)
                data = json.loads(request.body)
                for key, value in data.iteritems():
                    if request.path.find('gitNotify') > -1:
                        break

                    # if request.path.find('users') > -1 or request.path.find('firewall') > -1 or request.path.find('servicesAction') > -1 or request.path.find('sslForHostName') > -1:
                    #     logging.writeToFile(request.body)
                    #     final_dic = {'error_message': "Data supplied is not accepted.",
                    #                  "errorMessage": "Data supplied is not accepted."}
                    #     final_json = json.dumps(final_dic)
                    #     return HttpResponse(final_json)

                    if type(value) == str or type(value) == unicode:
                        pass
                    else:
                        continue

                    if request.build_absolute_uri().find('saveSpamAssassinConfigurations') > -1 or request.build_absolute_uri().find('docker') > -1 or request.build_absolute_uri().find('cloudAPI') > -1 or request.build_absolute_uri().find('filemanager') > -1 or request.build_absolute_uri().find('verifyLogin') > -1 or request.build_absolute_uri().find('submitUserCreation') > -1:
                        continue
                    if key == 'ports' or key == 'imageByPass' or key == 'passwordByPass' or key == 'cronCommand' or key == 'emailMessage' or key == 'configData' or key == 'rewriteRules' or key == 'modSecRules' or key == 'recordContentTXT' or key == 'SecAuditLogRelevantStatus' or key == 'fileContent':
                        continue
                    if value.find(';') > -1 or value.find('&&') > -1 or value.find('|') > -1 or value.find('...') > -1 \
                            or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find(")") > -1 \
                            or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find("{") > -1 or value.find("}") > -1\
                            or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1:
                        logging.writeToFile(request.body)
                        final_dic = {'error_message': "Data supplied is not accepted.",
                                     "errorMessage": "Data supplied is not accepted."}
                        final_json = json.dumps(final_dic)
                        return HttpResponse(final_json)
                    if key.find(';') > -1 or key.find('&&') > -1 or key.find('|') > -1 or key.find('...') > -1 \
                            or key.find("`") > -1 or key.find("$") > -1 or key.find("(") > -1 or key.find(")") > -1 \
                            or key.find("'") > -1 or key.find("[") > -1 or key.find("]") > -1 or key.find("{") > -1 or key.find("}") > -1\
                            or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1:
                        logging.writeToFile(request.body)
                        final_dic = {'error_message': "Data supplied is not accepted.", "errorMessage": "Data supplied is not accepted."}
                        final_json = json.dumps(final_dic)
                        return HttpResponse(final_json)
            except BaseException, msg:
                logging.writeToFile(str(msg))
                response = self.get_response(request)
                return response
        response = self.get_response(request)
        return response

and this file is available at /usr/local/CyberCP/CyberCP

anhtuan · September 2019

@CyberPanel : line 11 is: try
and line 40 is: pass
https://43.224.33.39:8090/websites/
Error 500 here

CyberPanel · September 2019

Create ticket and mention ticket number here.

anhtuan · September 2019

CyberPanel said:
Create ticket and mention ticket number here.

Ticket #5FJ7PV thanks

w3services · November 2019

Hi 500 server error start.

Please confirm if 2 lines required or not. As your above not clear..

try:
uID = request.session['userID']
ipAddr = request.META.get('REMOTE_ADDR')

w3services · November 2019

The final code should look like ??

Why again in these 3 lines?

try:
uID = request.session['userID']
ipAddr = request.META.get('REMOTE_ADDR')

Its showing 500 server error. Please help.

whattheserver · November 2019

Backup current config
mv /usr/local/CyberCP/secMiddleware.py /usr/local/CyberCP/secMiddleware.py-bak

Download new version.
wget -O /usr/local/CyberCP/secMiddleware.py https://github.com/usmannasir/cyberpanel/raw/stable/CyberCP/secMiddleware.py

then download run the upgrade/update cache clearing script

wget -O /usr/local/CyberCP/upgrade.sh https://github.com/usmannasir/cyberpanel/raw/stable/upgrade.sh
chmod +x /usr/local/CyberCP/upgrade.sh

Then run this and give it a few minutes to clear cache and restart cyberpanel daemon
bash /usr/local/CyberCP/upgrade.sh

This should bring it back to stock.

The file has probably changed some since the original post was made.

Looks like relevant lines are 12-41 that need removed or commented out.
https://github.com/usmannasir/cyberpanel/blob/ecffcd59412fa0d94b1574df0c02b3027b0aebe9/CyberCP/secMiddleware.py#L12-L41

If you want to easily remove the lines via commenting them out(make them inactive)

this can be done via sed command below.
sed -i '12,41 s/^/#/' /usr/local/CyberCP/CyberCP/secMiddleware.py

You can then confirm it via checking the lines right before and after.
sed -n '10,42p' /usr/local/CyberCP/CyberCP/secMiddleware.py

Before:
[email protected]:~# sed -n '10,42p' /usr/local/CyberCP/CyberCP/secMiddleware.py

def __call__(self, request):
try:
uID = request.session['userID']
ipAddr = request.META.get('REMOTE_ADDR')

if ipAddr.find('.') > -1:
if request.session['ipAddr'] == ipAddr:
pass
else:
del request.session['userID']
del request.session['ipAddr']
logging.writeToFile(request.META.get('REMOTE_ADDR'))
final_dic = {'error_message': "Session reuse detected, IPAddress logged.",
"errorMessage": "Session reuse detected, IPAddress logged."}
final_json = json.dumps(final_dic)
return HttpResponse(final_json)
else:
ipAddr = request.META.get('REMOTE_ADDR').split(':')[:3]

if request.session['ipAddr'] == ipAddr:
pass
else:
del request.session['userID']
del request.session['ipAddr']
logging.writeToFile(request.META.get('REMOTE_ADDR'))
final_dic = {'error_message': "Session reuse detected, IPAddress logged.",
"errorMessage": "Session reuse detected, IPAddress logged."}
final_json = json.dumps(final_dic)
return HttpResponse(final_json)
except:
pass
if request.method == 'POST':
[email protected]:~#

After:
[email protected]:~# sed -i '12,41 s/^/#/' /usr/local/CyberCP/CyberCP/secMiddleware.py
[email protected]:~# sed -n '10,42p' /usr/local/CyberCP/CyberCP/secMiddleware.py

def __call__(self, request):
# try:
# uID = request.session['userID']
# ipAddr = request.META.get('REMOTE_ADDR')
#
# if ipAddr.find('.') > -1:
# if request.session['ipAddr'] == ipAddr:
# pass
# else:
# del request.session['userID']
# del request.session['ipAddr']
# logging.writeToFile(request.META.get('REMOTE_ADDR'))
# final_dic = {'error_message': "Session reuse detected, IPAddress logged.",
# "errorMessage": "Session reuse detected, IPAddress logged."}
# final_json = json.dumps(final_dic)
# return HttpResponse(final_json)
# else:
# ipAddr = request.META.get('REMOTE_ADDR').split(':')[:3]
#
# if request.session['ipAddr'] == ipAddr:
# pass
# else:
# del request.session['userID']
# del request.session['ipAddr']
# logging.writeToFile(request.META.get('REMOTE_ADDR'))
# final_dic = {'error_message': "Session reuse detected, IPAddress logged.",
# "errorMessage": "Session reuse detected, IPAddress logged."}
# final_json = json.dumps(final_dic)
# return HttpResponse(final_json)
# except:
# pass
if request.method == 'POST':
[email protected]:~#

[email protected]:~# systemctl restart lscpd
[email protected]:~#

whattheserver · November 2019

Actually, I coded an option you can enable or disable this within that file.
https://github.com/usmannasir/cyberpanel/commit/c335952b2a350690c79082e8ffb45cfebd2c039c

I do not have a dynamic session that changes to verify it that works, but the file works on my test server and has an if condition to only run if 'true' so in theory should work for you to toggle it off by setting value to 'false' without having to comment or delete lines in the core file which bound to be error-prone.

Download the file with option to toggle.
wget -O /usr/local/CyberCP/secMiddleware.py https://github.com/usmannasir/cyberpanel/raw/c335952b2a350690c79082e8ffb45cfebd2c039c/CyberCP/secMiddleware.py

Default: On 'true'

To set to On 'true'
sed -i "s/^sessionIPValidation =.*/sessionIPValidation = 'true'/g" /usr/local/CyberCP/CyberCP/secMiddleware.py

To set to Off: 'false'
sed -i "s/^sessionIPValidation =.*/sessionIPValidation = 'false'/g" /usr/local/CyberCP/CyberCP/secMiddleware.py

To check status:
grep -E '^sessionIPValidation' /usr/local/CyberCP/CyberCP/secMiddleware.py

Example of this toggled to On(true): Default
[email protected]:~# grep -E '^sessionIPValidation' /usr/local/CyberCP/CyberCP/secMiddleware.py
sessionIPValidation = 'true'
[email protected]:~#

Example of this toggled to Off(false):
[email protected]:~# grep -E '^sessionIPValidation' /usr/local/CyberCP/CyberCP/secMiddleware.py
sessionIPValidation = 'false'
[email protected]:~#

After toggling:
systemctl restart lscpd||service lscpd restart

Test

If it works ill submit a pull request to have it merged to the stable branch.

inspiredearth · February 2020

@whattheserver : I just want to say thank you for your work on this. I can see you put a significant amount of time into helping out with this. It's much appreciated.

Mysterious_Beans · April 2020

If you want to do this by commenting out (or removing) lines, then pay attention to the fact that the relevant line numbers may change with each update.

As of 2.0 the relevant lines are 17-47

nagione · June 2020

Thanks @Mysterious_Beans .. i did this as per your suggestion and it worked for me .. Cheers !!!

itspathanofficial · October 2020

given solutions are not working, please post the solution for this problem.

u575866717 · February 27

I think @CyberPanel should include it under security options and allow the user to switch it on or off

u575866717 · March 1

I tried both solutions suggested with no success, still getting the errors when IP changes

shanyx · March 20

Type your comment> @CyberPanel said:
> If your IP change frequently and you don't need this protection, you can edit this file
>
> https://github.com/usmannasir/cyberpanel/blob/1.8.0/CyberCP/secMiddleware.py
>
> Remove line 11-40.
>
> On server this file is available at /usr/local/CyberCP/CyberCP
>
> then systemctl restart lscpd

Solution did nt work. cyberpanel did not work properly with cloudflare

Master3395 · March 29

I have the same issue using CloudFlare.
I can sometimes log in, and some times I get the error.
{"error_message": "Session reuse detected, IPAddress logged.", "errorMessage": "Session reuse detected, IPAddress logged."}

The tutorial over just ends up with internal error 500.

mediakular · April 2

I have the same issue. I am also using CloudFlare.
After logging in I can browse 1-2 sites on cyberpanel, then I have to login again.

Everything works well when I log in with HTTP:<IP-address>:<Port> (only loading of each page takes much longer).
I only have the issue described above when I log in with HTTPS:<hostname>:<port>.

Same behavior for others?

arworld · 2:55AM

For cloudflare users please replace REMOTE_ADDR with True-Client-IP and for nginx please replace REMOTE_ADDR with X_REAL_IP
your issue will be resolved no need to remove a single line and also no 500 error cheers
regards
Aditya Rathore World

arworld · 3:03AM

> @arworld said:
> For cloudflare users please replace REMOTE_ADDR with True-Client-IP and for nginx please replace REMOTE_ADDR with X_REAL_IP
> your issue will be resolved no need to remove a single line and also no 500 error cheers
> regards
> Aditya Rathore World

# ipAddr = request.META.get('True-Client-IP').split(':')[:3]
you can comment above line if using cloudflare as it have single header ip only
def __call__(self, request):
try:
uID = request.session['userID']
admin = Administrator.objects.get(pk=uID)
ipAddr = request.META.get('True-Client-IP')

if ipAddr.find('.') > -1:
if request.session['ipAddr'] == ipAddr or admin.securityLevel == secMiddleware.LOW:
pass
else:
del request.session['userID']
del request.session['ipAddr']
logging.writeToFile(request.META.get('True-Client-IP'))
final_dic = {'error_message': "Session reuse detected, IPAddress logged.",
"errorMessage": "Session reuse detected, IPAddress logged."}
final_json = json.dumps(final_dic)
return HttpResponse(final_json)
else:
# ipAddr = request.META.get('True-Client-IP').split(':')[:3]

if request.session['ipAddr'] == ipAddr or admin.securityLevel == secMiddleware.LOW:
pass
else:
del request.session['userID']
del request.session['ipAddr']
logging.writeToFile(request.META.get('True-Client-IP'))
final_dic = {'error_message': "Session reuse detected, IPAddress logged.",
"errorMessage": "Session reuse detected, IPAddress logged."}
final_json = json.dumps(final_dic)
return HttpResponse(final_json)
except:
pass

Fixing error_message": "Session reuse detected, IPAddress logged

Comments

Howdy, Stranger!

Categories

In this Discussion

Fixing error_message": "Session reuse detected, IPAddress logged

Comments

Howdy, Stranger!

Quick Links

Categories

In this Discussion