The action redirect of the login servlet takes a one time token and redirects the user then to his session. Unfortunately we discover errors in the infrastructure around Open-Xchange that causes those one time tokens to be sent to the wrong clients. So wrong clients get redirected into some users session. The action redirect rewrites IP and User-Agent in the session, so this is possible.

All login methods must be extended so if servers in the infrastructure around Open-Xchange want to create a session instead of the client itself the client IP address and the client's User-Agent can be specified.

The following requests are extended with those parameters:
- the action login of the login servlet,
- the action formLogin of the login servlet,
- the HTTP auth of the login servlet and
- the easylogin request of the EasyLogin servlet.

The following new parameters are introduced to the above mentioned requests:
- clientIP (optional) ? IP address of the client host for that the session is created. If this parameter is not specified the IP address of the HTTP client doing this request is used.
- clientUserAgent (optional) ? Value of the User-Agent header of the client host for that the session is created. If this parameter is not specified the User-Agent of the current HTTP client doing this request is used.