diff options
| author | Andrew Dolgov <[email protected]> | 2010-11-26 12:31:01 +0300 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2010-11-26 12:31:01 +0300 |
| commit | 0f41fce845757e0d986be0c00f290ef1da7dc1e1 (patch) | |
| tree | 42a2ddb5868fb0e9292492c002d7e9dc6369bfe7 | |
| parent | 64e411abf4a59b0af319fdf8e07d9fb58097e810 (diff) | |
change behaviour of SESSION_CHECK_ADDRESS
| -rw-r--r-- | config.php-dist | 8 | ||||
| -rw-r--r-- | functions.php | 33 |
2 files changed, 26 insertions, 15 deletions
diff --git a/config.php-dist b/config.php-dist index 824b843c7..f3045f70e 100644 --- a/config.php-dist +++ b/config.php-dist @@ -49,8 +49,12 @@ // configurations. Doesn't seem to work for everyone, so enable with caution. // tt-rss uses default PHP session storing mechanism if disabled. - define('SESSION_CHECK_ADDRESS', true); - // Bind session to client IP address (recommended) + define('SESSION_CHECK_ADDRESS', 1); + // Check client IP address when validating session: + // 0 - disable checking + // 1 - check first 3 octets of an address (recommended) + // 2 - check first 2 octets of an address + // 3 - check entire address define('SESSION_COOKIE_LIFETIME', 0); // Default lifetime of a session (e.g. login) cookie. In seconds, diff --git a/functions.php b/functions.php index d874ba3b9..1d37727fe 100644 --- a/functions.php +++ b/functions.php @@ -1901,22 +1901,29 @@ } function validate_session($link) { - if (SINGLE_USER_MODE) { - return true; - } + if (SINGLE_USER_MODE) return true; - if (SESSION_CHECK_ADDRESS && $_SESSION["uid"]) { - if ($_SESSION["ip_address"]) { - if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) { - $_SESSION["login_error_msg"] = __("Session failed to validate (incorrect IP)"); - return false; - } - } - } + $check_ip = $_SESSION['ip_address']; - if ($_SESSION["ref_schema_version"] != get_schema_version($link, true)) { + switch (SESSION_CHECK_ADDRESS) { + case 0: + $check_ip = ''; + break; + case 1: + $check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1); + break; + case 2: + $check_ip = substr($check_ip, 0, strrpos($check_ip, '.')); + $check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1); + break; + }; + + if ($check_ip && strpos($_SERVER['REMOTE_ADDR'], $check_ip) !== 0) + $_SESSION["login_error_msg"] = + __("Session failed to validate (incorrect IP)"); + + if ($_SESSION["ref_schema_version"] != get_schema_version($link, true)) return false; - } if ($_SESSION["uid"]) { |