Is it possible to get (on ServerSide) if user's remoteIP is changed

[irigsoft]

My case is this:

1. The user is connected to public Wi-Fi

2. a new session is created and the server knows from which remoteIp

3. after 15 minutes, as the User works with the open session, the Wi-Fi signal is lost and automatically connects to a mobile network on his phone

4. The session has not timed out and the session has not been terminated, but the user's IP address has already changed.

I need to know when point 4 happens, is this possible?

 

I try via TUniMainModule.UniGUIMainModuleHandleRequest

get it from TUniGUISession (ASession).RemoteIP, but the IP doesn't change, the RemoteIp is always equal to what we started the session with !

is there some Global variable that collect this information ?

 

[Sherzod]

1 hour ago, irigsoft said:

I need to know when point 4 happens, is this possible?

This post may help you:

 

[irigsoft]

28 minutes ago, Sherzod said:

This post may help you:

 

Thanks, but this not work.

RemoteIP is always the Same !!!

My code (uniGUI_runtime_1.90.0.1551 - Proffessional) :

1. procedure TUniMainModule.UniGUIMainModuleCreate(Sender: TObject);
begin

mInnerSessionID := UniSession.RemoteIP;

end;

 

2. procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject;   var Handled: Boolean);

begin

  if (mInnerSessionID <> TUniGUISession(ASession).ARequest.RemoteIP) then begin
          Handled := True;
          TUniGUISession(ASession).Terminate ('Session is closed');
  end;

end;

[Sherzod]

So, were you able to achieve success?

[irigsoft]

11 minutes ago, Sherzod said:

So, were you able to achieve success?

No, I don't know why but when creating the new session the RemoteIP is for example 123.123.123.123

After I change the network (from Wi-Fi to Mobile they are from different operators) and try to keep working with my StandAloneApp,

through the function TUniMainModule.UniGUIMainModuleHandleRequest I check what is TUniGUISession(ASession).ARequest.RemoteIP, it is always the same (123.123.123.123) as when opening the session.

I think the RemoteIP should change but even after 5 minutes it still hasn't, and session is still Alive!?!

 

@Sherzod, I must to say that I change network to User's mobile device, not at Server !

[Sherzod]

5 hours ago, irigsoft said:

No

Have you checked the solution from the link above?

[Sherzod]

Are you using a mobile device? If so, which device, browser? And what application do you use: mobile or desktop?

[irigsoft]

43 minutes ago, Sherzod said:

Are you using a mobile device? If so, which device, browser? And what application do you use: mobile or desktop?

I try it with mobile device Samsung (Android 10 Chrome + WebView), RedMi (Android 10 Chrome) , Lenovo Tab 3 (Android 5.0 Chrome)

I use uniGui Proffessional 1551 and Desktop StandAlone Application for Server

[Sherzod]

So you open the desktop application on mobile devices?

Can you check the above solution on desktop (PC, notebook)?

[irigsoft]

12 minutes ago, Sherzod said:

So you open the desktop application on mobile devices?

Can you check the above solution on desktop (PC, notebook)?

Yes, I will try.

[irigsoft]

37 minutes ago, Sherzod said:

Can you check the above solution on desktop (PC, notebook)?

I try on Laptop Win 7 Chrome,  it it's not work again.

In my code (that I write above) is not change RemoteIP (using TUniGUISession(ASession).ARequest.RemoteIP) when I change network

[Sherzod]

1 minute ago, irigsoft said:

ARequest.RemoteIP

Strange, in principle this should always return the actual "IP".

[irigsoft]

1 minute ago, Sherzod said:

Strange, in principle this should always return the actual "IP".

Yes, I know.

1. procedure TUniMainModule.UniGUIMainModuleCreate(Sender: TObject);
begin

mInnerSessionID := UniSession.RemoteIP;

end;

 

2. When I use this on TUniServerModule.UniGUIServerModuleHTTPCommand

begin

sSessionID := ExtractSessionId(ARequestInfo.UnParsedParams);
 

  SessionManager.Sessions.Lock;
  for I := SessionManager.Sessions.SessionList.Count - 1 downto 0 do begin
    Try
        U := SessionManager.Sessions.SessionList[I];
          // Check mainModule availability. Some sessions may not have a MainModule instance
          if (U.UniMainModule <> nil)
          then begin
                //Access custom MainModule variable
                if (U.SessionId = sSessionID) then begin
                    TUniMainModule (U.UniMainModule).sInnerSessionID := ARequestInfo.RemoteIP;
                end;
          end;
    Except

    End;
  end;
  SessionManager.Sessions.Unlock;
end;

end;

 

3. procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject;   var Handled: Boolean);

begin

  if (mInnerSessionID <> sInnerSessionID ) then begin
          Handled := True;
          TUniGUISession(ASession).Terminate ('Session is closed');
  end;

end;

 

then this work !

This is slowdown the server when I have more then 50 active session, so I search solution without using TUniServerModule.UniGUIServerModuleHTTPCommand

[irigsoft]

@Sherzod, did You can share with me Is it possible to protect (some how) my StandAlone application from Session Hijacking .

I know methods like: using VPN, not using open Wifi, don't open suspicious emails, but there all is from User Side and I don't have control over it.

I need some methods that I can apply on Server APP.

1. I have protection from XSS

2. I already use Session Restriction like srOnePerIP/srOnePerPC

3. I already use short time of SessionTimeout

4. I have https

now I need: https://www.linkedin.com/advice/1/what-best-ways-prevent-session-hijacking#monitor-and-audit-sessions

1. to check User's data when session is opened and work with it!

2. Set SessionID Coockie = Secure and HTPPOnly

Or You can just tell me: "We have Session Hijacking protections, You need to do this ......"