Craft CMS Asked by Tom Davies on August 16, 2021
On a production site, we’re seeing a ton of the following warning in our web.log
files for (seemingly) every request, creating a ton of noise in the logs and making it hard to spot “real” issues:
<DATE> [-][-][-][warning][craftwebUser::_validateUserAgentAndIp] Request didn’t meet the user agent and IP requirement for maintaining a user session.
Under the hood craftwebUser::_validateUserAgentAndIp()
does the following
private function _validateUserAgentAndIp(): bool
{
if (!Craft::$app->getConfig()->getGeneral()->requireUserAgentAndIpForSession) {
return true;
}
$request = Craft::$app->getRequest();
if ($request->getUserAgent() === null || $request->getUserIP() === null) {
Craft::warning('Request didn’t meet the user agent and IP requirement for maintaining a user session.', __METHOD__);
return false;
}
return true;
}
As far as I can see, (for front end templates at least) craft.app.request.userAgent
and craft.app.request.userIP
are correctly populated with the UA and IP respectively, so I’m not sure why/how Craft is throwing this warning.
We don’t see the same issue in dev / staging environments, so I know this is likely to be a configuration issue, but I’m asking this question to try and understand what’s going on so I have some idea of what to look for.
Question:
(Note: I know I could turn requireUserAgentAndIpForSession
off in config/general.php
, but I don’t really want to do that from a security POV)
Notes:
Most likely since it's a production site, it's from bots/scripts hitting the site's login page probing for vulnerabilities.
I'd suggest changing the cpTrigger config setting and see if the occurrences go down.
Answered by Brad Bell on August 16, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP