Stop tying the admin cookie to the source IP.

veluca93 · veluca93 · commit e00f0a62dc73 · 2025-07-01T13:09:06.000+02:00
This is inconvenient and does not really give additional security.
diff --git a/cms/server/admin/authentication.py b/cms/server/admin/authentication.py
@@ -92,7 +92,6 @@ def set(self, admin_id: int):
 
         """
         self._cookie["id"] = admin_id
-        self._cookie["ip"] = self._request.remote_addr
         self.refresh()
 
     def refresh(self):
@@ -161,21 +160,16 @@ def _verify_cookie(self):
             return
 
         admin_id = self._cookie.get("id", None)
-        remote_addr = self._cookie.get("ip", None)
         timestamp = self._cookie.get("timestamp", None)
 
-        if admin_id is None or remote_addr is None or timestamp is None:
+        if admin_id is None or timestamp is None:
             self.clear()
             return
 
         if not isinstance(admin_id, int) or not isinstance(timestamp, float):
             self.clear()
             return
 
-        if remote_addr != self._request.remote_addr:
-            self.clear()
-            return
-
         if make_timestamp() - timestamp > config.admin_cookie_duration:
             self.clear()
             return
