From 837ec70e3ee4378f4d7a0a616ad0f291b311152a Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@madoka.volgo-balt.ru>
Date: Mon, 1 Apr 2013 18:22:07 +0400
Subject: validate_session: check for user agent

---
 include/functions.php | 1 +
 include/sessions.php  | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/include/functions.php b/include/functions.php
index e86c97474..ece6d1b91 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -621,6 +621,7 @@
 					$_SESSION["uid"]);
 
 				$_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"];
+				$_SESSION["user_agent"] = sha1($_SERVER['HTTP_USER_AGENT']);
 				$_SESSION["pwd_hash"] = db_fetch_result($result, 0, "pwd_hash");
 
 				$_SESSION["last_version_check"] = time();
diff --git a/include/sessions.php b/include/sessions.php
index 81a5a7383..778d00e3a 100644
--- a/include/sessions.php
+++ b/include/sessions.php
@@ -57,6 +57,9 @@
 		if ($_SESSION["ref_schema_version"] != session_get_schema_version($link, true))
 			return false;
 
+		if (sha1($_SERVER['HTTP_USER_AGENT']) != $_SESSION["user_agent"])
+			return false;
+
 		if ($_SESSION["uid"]) {
 			$result = db_query($link,
 				"SELECT pwd_hash FROM ttrss_users WHERE id = '".$_SESSION["uid"]."'");
-- 
cgit v1.2.3