Separate web server allows anyone to POST to sendmessage.php without logging in

[chuushi]

I have the dynmap web server run on lighttpd in order to get the SSL support. Everything is internal.

My dynmap class configuration is made so: (omitted irrelevant portions)

  - class: org.dynmap.JsonFileClientUpdateComponent
    writeinterval: 1
    allowwebchat: true
    webchat-interval: 0
    hidewebchatip: true
    use-player-login-ip: false
    require-player-login-ip: false
    block-banned-player-chat: true
    # Require login for web-to-server chat (requires login-enabled: true)
    webchat-requires-login: true
    # If set to true, users must have dynmap.webchat permission in order to chat
    webchat-permissions: true
    # Limit length of single chat messages
    chatlengthlimit: 256
    hidenames: false

I assumed setting webchat-requires-login to true requires users to be logged on, and the dynmap uses browser session name to match the username with the messages. However, when I tried making a POST request to standalone/sendmessage.php manually on a different browser, it displayed "web-###" as the sender. I expected to get an error for trying to send a message while not logged in and/or no message output at all.

[wioxjk]

Have your tried:
use-player-login-ip: true
require-player-login-ip: true
?