2.65. TrustProxy *global*

Allows the administrator to designate certain IP addresses or hostnames as trusted HTTP proxies, whose claims (via the HTTP_X_FORWARDED_FOR environment variable set by the web server) about the original requesting host will be assumed accurate.

When using a front-end proxy for Interchange, all requests appear to come from that proxy, for example, perhaps if on the same machine. This is effectively the same as running with WideOpen Yes, because all sessions will have the same user IP address and thus can be easily hijacked. Session hijacking can happen when someone unknowingly includes a session ID in a URL they send to other users, and all those users then end up with the same session and shopping cart!

TrustProxy takes a comma-separated list of one or more IP addresses and/or hostnames, which may include wildcards (* for any number of characters, ? for a single character). For example:

TrustProxy, 10.0.0.*

I'm not sure why anyone would want to do this, but it could also be used with external HTTP proxies in general (which you can only hope aren't lying), with a simple 'TrustProxy *'.

Note that the environment variables are not modified in any way; only Interchange's idea of the remote host is altered, as you see with [data session host].