From 58b7fa8e2e7eb6d20c816a33b5c06d3d640d1123 Mon Sep 17 00:00:00 2001 From: Matt Wright Date: Tue, 6 May 2014 12:35:50 -0400 Subject: [PATCH] Check `X-Forwarded-For` header value when tracking IP addresses. Fixes #234 --- flask_security/utils.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/flask_security/utils.py b/flask_security/utils.py index 7d2d6aa..5b20352 100644 --- a/flask_security/utils.py +++ b/flask_security/utils.py @@ -62,8 +62,12 @@ def login_user(user, remember=None): return False if _security.trackable: + if 'X-Forwarded-For' not in request.headers: + remote_addr = request.remote_addr or 'untrackable' + else: + remote_addr = request.headers.getlist("X-Forwarded-For")[0] + old_current_login, new_current_login = user.current_login_at, datetime.utcnow() - remote_addr = request.remote_addr or 'untrackable' old_current_ip, new_current_ip = user.current_login_ip, remote_addr user.last_login_at = old_current_login or new_current_login