Prevent-proxy-connections option in Minecraft: Java Edition server in server.properties does not work when using any type of proxy, such as this one
https://github.com/bangbang93/minecraft-proxy
In this case, the player connects to the server from a one IP, but makes a request to https://sessionserver.mojang.com/session/minecraft/join from another IP and sessionserver allows player to log in to the server
This was also tested using a mod that allows you to join servers under a proxy:
https://www.curseforge.com/minecraft/mc-mods/proxy-server
Everything happens exactly the same way and the sessionserver also allows to join
This was also tested by directly accessing join and hadJoined endpoints:
Whatever IP is specified in the 'ip' parameter in the request to https://sessionserver.mojang.com/session/minecraft/hasJoined this does not affect the result, looks like this parameter is simply ignored
It also doesn't matter which endpoint is used for joining - the old 'joinserver.jsp' or new 'join'
I think that the IP logging was broken on these two endpoints, or the hasJoined IP check was broken
Confirmed that the IP field is ignored just now using postman & my own account.
This bug should really have it's priority bumped as it solely enables the alt "renting" style websites.
Multiple sites (mcleaks.net is a good example) simply send join requests on behalf of their clients, allowing them to hold onto all of the sensitive account data while renting out accounts over & over again to thousands of users. With services like these, trolls can always just join a server again with another account after being banned with zero consequence.