diff options
| author | Andrew Dolgov <[email protected]> | 2013-03-31 13:10:46 +0400 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2013-03-31 13:10:46 +0400 |
| commit | e9b746923384fc4d911e92f89e11a27bc2f9ad0b (patch) | |
| tree | db0b8f1b4bd1ad9e1c8471f56b075b388786d330 /include/sessions.php | |
| parent | b9fc62a776f0d8c551798b27a077c4512128be7e (diff) | |
validate session on startup
Diffstat (limited to 'include/sessions.php')
| -rw-r--r-- | include/sessions.php | 71 |
1 files changed, 70 insertions, 1 deletions
diff --git a/include/sessions.php b/include/sessions.php index 727d955d0..81a5a7383 100644 --- a/include/sessions.php +++ b/include/sessions.php @@ -17,6 +17,75 @@ ini_set("session.use_only_cookies", true); ini_set("session.gc_maxlifetime", $session_expire); + function session_get_schema_version($link, $nocache = false) { + global $schema_version; + + if (!$schema_version) { + $result = db_query($link, "SELECT schema_version FROM ttrss_version"); + $version = db_fetch_result($result, 0, "schema_version"); + $schema_version = $version; + return $version; + } else { + return $schema_version; + } + } + + function validate_session($link) { + if (SINGLE_USER_MODE) return true; + + $check_ip = $_SESSION['ip_address']; + + switch (SESSION_CHECK_ADDRESS) { + case 0: + $check_ip = ''; + break; + case 1: + $check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1); + break; + case 2: + $check_ip = substr($check_ip, 0, strrpos($check_ip, '.')); + $check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1); + break; + }; + + if ($check_ip && strpos($_SERVER['REMOTE_ADDR'], $check_ip) !== 0) { + $_SESSION["login_error_msg"] = + __("Session failed to validate (incorrect IP)"); + return false; + } + + if ($_SESSION["ref_schema_version"] != session_get_schema_version($link, true)) + return false; + + if ($_SESSION["uid"]) { + $result = db_query($link, + "SELECT pwd_hash FROM ttrss_users WHERE id = '".$_SESSION["uid"]."'"); + + // user not found + if (db_num_rows($result) == 0) { + return false; + } else { + $pwd_hash = db_fetch_result($result, 0, "pwd_hash"); + + if ($pwd_hash != $_SESSION["pwd_hash"]) { + return false; + } + } + } + +/* if ($_SESSION["cookie_lifetime"] && $_SESSION["uid"]) { + + //print_r($_SESSION); + + if (time() > $_SESSION["cookie_lifetime"]) { + return false; + } + } */ + + return true; + } + + function ttrss_open ($s, $n) { global $session_connection; @@ -106,7 +175,7 @@ if (isset($_COOKIE[$session_name])) { @session_start(); - if (!isset($_SESSION["uid"]) || !$_SESSION["uid"]) { + if (!isset($_SESSION["uid"]) || !$_SESSION["uid"] || !validate_session($session_connection)) { session_destroy(); setcookie(session_name(), '', time()-42000, '/'); } |