validate_session: bring back IP session binding (enabled by default) and UA checking

author: Andrew Dolgov <[email protected]> 2018-10-15 08:26:07 +0300
committer: Andrew Dolgov <[email protected]> 2018-10-15 08:26:07 +0300
commit: 7d53c2b501cbc0e48f90c154b2f901fef08fbd33 (patch)
tree: 01e296c202e04f21bf3619ac45eb124e96d0dae0 /include/sessions.php
parent: 8064ca3f8cac423ac688c26318d96238147c181c (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/include/sessions.php b/include/sessions.php
index c80c21de3..f625cd16f 100644
--- a/include/sessions.php
+++ b/include/sessions.php
@@ -49,6 +49,19 @@
         $pdo = Db::pdo();
 
 		if ($_SESSION["uid"]) {
+
+			if (!defined('_SKIP_SESSION_ADDRESS_CHECKS') || !_SKIP_SESSION_ADDRESS_CHECKS) {
+				if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) {
+					$_SESSION["login_error_msg"] = __("Session failed to validate.");
+					return false;
+				}
+			}
+
+			if ($_SESSION["user_agent"] != sha1($_SERVER['HTTP_USER_AGENT'])) {
+				$_SESSION["login_error_msg"] = __("Session failed to validate.");
+				return false;
+			}
+
 			$sth = $pdo->prepare("SELECT pwd_hash FROM ttrss_users WHERE id = ?");
 			$sth->execute([$_SESSION['uid']]);
author	Andrew Dolgov <[email protected]>	2018-10-15 08:26:07 +0300
committer	Andrew Dolgov <[email protected]>	2018-10-15 08:26:07 +0300
commit	7d53c2b501cbc0e48f90c154b2f901fef08fbd33 (patch)
tree	01e296c202e04f21bf3619ac45eb124e96d0dae0 /include/sessions.php
parent	8064ca3f8cac423ac688c26318d96238147c181c (diff)