mirror of
https://github.com/ZoneMinder/zoneminder.git
synced 2026-06-23 04:59:37 -04:00
bac9b8af01
generateAuthHash() cached every hash under the IP-keyed slot 'AuthHash'.$remoteAddr, but the value was IP-bound only when $useRemoteAddr was set. getZmuCommand() calls generateAuthHash(false, true), which wrote an IP-less hash into the IP-bound slot and reset AuthHashGeneratedAt. Because the status poll runs getZmuCommand (web/ajax/status.php) right before emitting the auth hash, the poll then served the IP-less hash to the browser; the next IP-bound request was rejected by the validator, redirecting the user to login roughly every poll. This happens with a completely stable client IP, so it is distinct from the IP-rotation case. Key the cache slot by the address actually baked into the value: only use the session address when this caller asked for it (and AUTH_HASH_IPS is on). IP-less and IP-bound hashes now occupy separate slots and can no longer clobber each other. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>