Using webmail in safari on an ipad over 3g causes "Your ip address has changed" errors

[tommcquarrie]

Hi there,

Just hoping there's a work around for this issue. Spent ages on google, couldn't find anything, so trying to use as many keywords as possible so others with the same issue can find this thread.

If you're on an ipad, using safari, on 3g, you can't use cpanel webmail without Cookie IP Validation off. Every request you make to webmail kicks you out with the standard "Your ip address has changed" error. If you're on wifi, or if you're using chrome on the ipad via 3g, it works fine.

Strangely, the ip address isn't actually changing. Running some tests echoing out $_SERVER from a test server, REMOTE_ADDR doesn't change from one request to the next. What DOES change is the port number at REMOTE_PORT. So I'm guessing when cpanel checks for an ip address change, they're actually checking a combination of the ip address and port.

I'd really prefer not to turn off Cookie IP Validation, but getting a fair few complaints with the current implementation. I'm wondering if it's possible to change the routine at all to check the ip address, but not the port number? Is there some template file I could modify to achieve this? Or would this also be quite dangerous and I'd be better off leaving the port number detection in place?

Any assistance would be greatly appreciated.

 

[cPanelMichael]

Hello

Do you notice any change in the results if you access webmail directly over the port 2095/2096 instead of through webmail.domain.com?

Thank you.

 

[tommcquarrie]

Hello

Do you notice any change in the results if you access webmail directly over the port 2095/2096 instead of through webmail.domain.com?

Thank you.

Thanks for the prompt reply. We redirect all users directly to mailserver.domain.com:2096. We force the use of the ssl connection.

I just temporarily disabled "require ssl" and logged in via port 2095, and the issue still persists, so from what I can tell it's definitely caused by safari connecting via a variety of local port numbers when using 3g.

I'm wondering though, if we're requiring ssl for all connections, perhaps the 'same ip address' restriction is overkill, considering (from what I'm aware) it would be impossible to highjack a login using ssl anyway. In your opinion, is there any security benefit to having both these options enabled at the same time?

 

[cPanelMichael]

I was unable to reproduce this issue using Safari on an iPad. Feel free to submit a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[tommcquarrie]

I originally posted that it worked in chrome. That must have been a fluke occurrence, it's not working in chrome either. Looking into it further, it's just an intermittent issue, across all browsers, when connecting over 3g, with the ip address changing on each request, which will be controlled by the cellular provider. So the only solution for enabling webmail access over 3g in these situations would be to disable the ip check.

Going back to my other question, if we have ssl connections as mandatory, is there still a risk of highjacking someone's login, to the point where the ip address check is still necessary?

 

[cPanelMichael]

Going back to my other question, if we have ssl connections as mandatory, is there still a risk of highjacking someone's login, to the point where the ip address check is still necessary?

Using SSL will not necessarily prevent any CSRF attack. Utilizing cookie IP validation adds an extra layer of security. It's up to the administrator to determine the right balance of security and usability that best suites their individual requirements.

Thank you.