new option: SESSION_CHECK_ADDRESS

1 files changed, 24 insertions, 6 deletions

diff --git a/sessions.php b/sessions.php
index 54b862a39..3d931d968 100644
--- a/sessions.php
+++ b/sessions.php
@@ -22,7 +22,13 @@
 	
 		global $session_connection,$session_read;					 
 
-		$query = "SELECT data FROM ttrss_sessions WHERE id='$id'";
+		$ip_address = $_SERVER["REMOTE_ADDR"];
+
+		if (SESSION_CHECK_ADDRESS) {
+			$address_check_qpart = " AND ip_address = '$ip_address'";
+		}
+
+		$query = "SELECT data FROM ttrss_sessions WHERE id='$id' $address_check_qpart";
 
 		$res = db_query($session_connection, $query);
 		
@@ -47,12 +53,18 @@
 		
 		$data = db_escape_string(base64_encode($data), $session_connection);
 		
+		$ip_address = $_SERVER["REMOTE_ADDR"];
+
+		if (SESSION_CHECK_ADDRESS) {
+			$address_check_qpart = " AND ip_address = '$ip_address'";
+		}
+		
 		if ($session_read) {
 		 	$query = "UPDATE ttrss_sessions SET data='$data', 
-					expire='$expire' WHERE id='$id'"; 
+					expire='$expire' WHERE id='$id' $address_check_qpart"; 
 		} else {
-		 	$query = "INSERT INTO ttrss_sessions (id, data, expire)
-					VALUES ('$id', '$data', '$expire')";
+		 	$query = "INSERT INTO ttrss_sessions (id, data, expire, ip_address)
+					VALUES ('$id', '$data', '$expire', '$ip_address')";
 		}
 		
 		db_query($session_connection, $query);
@@ -71,8 +83,14 @@
 	function destroy ($id) {
 	
 		global $session_connection;
-		
-		$query = "DELETE FROM ttrss_sessions WHERE id = '$id'";
+
+		$ip_address = $_SERVER["REMOTE_ADDR"];
+
+		if (SESSION_CHECK_ADDRESS) {
+			$address_check_qpart = " AND ip_address = '$ip_address'";
+		}
+
+		$query = "DELETE FROM ttrss_sessions WHERE id = '$id' $address_check_qpart";
 		
 		db_query($session_connection, $query);