new option: SESSION_CHECK_ADDRESS

config.php-dist

@@ -104,5 +104,8 @@
 	// Store session information in a database (recommended)
 	// Uses default PHP session storing mechanism if disabled
 
+	define('SESSION_CHECK_ADDRESS', true);
+	// Bind sessions to specific IP address (requires DATABASE_BACKED_SESSIONS)
+
 	// vim:ft=php
 ?>

schema/ttrss_schema_mysql.sql

@@ -259,6 +259,7 @@ create table ttrss_scheduled_updates (id integer not null primary key auto_incre
 create table ttrss_sessions (id varchar(300) unique not null primary key,
 	data text,
 	expire integer not null,
+	ip_address varchar(15) not null default '',
 	index (id), 
 	index (expire)) TYPE=InnoDB;
 

schema/ttrss_schema_pgsql.sql

@@ -232,8 +232,9 @@ create table ttrss_scheduled_updates (id serial not null primary key,
 	entered timestamp not null default NOW());
 
 create table ttrss_sessions (id varchar(300) unique not null primary key,
-	data text,
+	data text,	
-	expire integer not null);
+	expire integer not null,
+	ip_address varchar(15) not null default '');
 
 create index ttrss_sessions_expire_index on ttrss_sessions(expire);
 

schema/upgrade-1.1.3-1.1.4-mysql.sql

@@ -8,6 +8,7 @@ alter table ttrss_entries alter column author set default '';
 create table ttrss_sessions (id varchar(300) unique not null primary key,
 	data text,
 	expire integer not null,
+	ip_address varchar(15) not null default '',
 	index (id), 
 	index (expire)) TYPE=InnoDB;
 

schema/upgrade-1.1.3-1.1.4-pgsql.sql

@@ -9,7 +9,8 @@ alter table ttrss_entries alter column author set default '';
 
 create table ttrss_sessions (id varchar(300) unique not null primary key,
 	data text,
-	expire integer not null);
+	expire integer not null,
+	ip_address varchar(15) not null default '');
 
 create index ttrss_sessions_id_index on ttrss_sessions(id);
 create index ttrss_sessions_expire_index on ttrss_sessions(expire);

sessions.php

@@ -22,7 +22,13 @@
 	
 		global $session_connection,$session_read;					 
 
-		$query = "SELECT data FROM ttrss_sessions WHERE id='$id'";
+		$ip_address = $_SERVER["REMOTE_ADDR"];
+
+		if (SESSION_CHECK_ADDRESS) {
+			$address_check_qpart = " AND ip_address = '$ip_address'";
+		}
+
+		$query = "SELECT data FROM ttrss_sessions WHERE id='$id' $address_check_qpart";
 
 		$res = db_query($session_connection, $query);
 		
@@ -47,12 +53,18 @@
 		
 		$data = db_escape_string(base64_encode($data), $session_connection);
 		
+		$ip_address = $_SERVER["REMOTE_ADDR"];
+
+		if (SESSION_CHECK_ADDRESS) {
+			$address_check_qpart = " AND ip_address = '$ip_address'";
+		}
+		
 		if ($session_read) {
 		 	$query = "UPDATE ttrss_sessions SET data='$data', 
-					expire='$expire' WHERE id='$id'"; 
+					expire='$expire' WHERE id='$id' $address_check_qpart"; 
 		} else {
-		 	$query = "INSERT INTO ttrss_sessions (id, data, expire)
+		 	$query = "INSERT INTO ttrss_sessions (id, data, expire, ip_address)
-					VALUES ('$id', '$data', '$expire')";
+					VALUES ('$id', '$data', '$expire', '$ip_address')";
 		}
 		
 		db_query($session_connection, $query);
@@ -71,8 +83,14 @@
 	function destroy ($id) {
 	
 		global $session_connection;
-		
+
-		$query = "DELETE FROM ttrss_sessions WHERE id = '$id'";
+		$ip_address = $_SERVER["REMOTE_ADDR"];
+
+		if (SESSION_CHECK_ADDRESS) {
+			$address_check_qpart = " AND ip_address = '$ip_address'";
+		}
+
+		$query = "DELETE FROM ttrss_sessions WHERE id = '$id' $address_check_qpart";
 		
 		db_query($session_connection, $query);