Bugfix
(User-visible)
If the application is behind a facade (the rule), then in the session service you don't get the address of the client but sensibly for all clients the address of the facade.
Test
- In a deployed application behind an Apache web server, check whether the IP of the requesting computer is actually logged (for both successful and failed logins).