diff options
author | Andrew Dolgov <[email protected]> | 2018-10-15 08:26:07 +0300 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2018-10-15 08:26:07 +0300 |
commit | 7d53c2b501cbc0e48f90c154b2f901fef08fbd33 (patch) | |
tree | 01e296c202e04f21bf3619ac45eb124e96d0dae0 | |
parent | 8064ca3f8cac423ac688c26318d96238147c181c (diff) |
validate_session: bring back IP session binding (enabled by default) and UA checking
-rw-r--r-- | include/sessions.php | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/include/sessions.php b/include/sessions.php index c80c21de3..f625cd16f 100644 --- a/include/sessions.php +++ b/include/sessions.php @@ -49,6 +49,19 @@ $pdo = Db::pdo(); if ($_SESSION["uid"]) { + + if (!defined('_SKIP_SESSION_ADDRESS_CHECKS') || !_SKIP_SESSION_ADDRESS_CHECKS) { + if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) { + $_SESSION["login_error_msg"] = __("Session failed to validate."); + return false; + } + } + + if ($_SESSION["user_agent"] != sha1($_SERVER['HTTP_USER_AGENT'])) { + $_SESSION["login_error_msg"] = __("Session failed to validate."); + return false; + } + $sth = $pdo->prepare("SELECT pwd_hash FROM ttrss_users WHERE id = ?"); $sth->execute([$_SESSION['uid']]); |