From aab4ae671b0e27eee69840663343136d820cc382 Mon Sep 17 00:00:00 2001
From: Pierre Faucquenoy <pf.xiretsa@gmail.com>
Date: Sun, 18 Feb 2024 17:19:19 +0100
Subject: [PATCH] fix(session): avoid redirection loop after auth behind
 reverse proxy

---
 include/functions_session.inc.php | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/include/functions_session.inc.php b/include/functions_session.inc.php
index 747fabfc8..1fb958297 100644
--- a/include/functions_session.inc.php
+++ b/include/functions_session.inc.php
@@ -105,12 +105,18 @@ function get_remote_addr_session_hash()
   {
     return '';
   }
-  
-  if (strpos($_SERVER['REMOTE_ADDR'],':')===false)
+
+  $remoteAddr = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
+
+  if (strpos($remoteAddr,':')===false)
   {//ipv4
+    if(strpos($remoteAddr, ',') !== false)
+    {
+      $remoteAddr = strstr($remoteAddr, ",", true);
+    }
     return vsprintf(
       "%02X%02X",
-      explode('.',$_SERVER['REMOTE_ADDR'])
+      explode('.',$remoteAddr)
     );
   }
   return ''; //ipv6 not yet