public/tt-rss
1
0
Fork 0
mirror of https://git.tt-rss.org/git/tt-rss.git synced 2025-12-13 05:25:56 +00:00
Code Issues Releases Wiki Activity

validate_session: bring back IP session binding (enabled by default) and UA checking

Browse Source
This commit is contained in:
Andrew Dolgov
2018-10-15 08:26:07 +03:00
parent 8064ca3f8c
commit 7d53c2b501
1 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
include/sessions.php
View File

@@ -49,6 +49,19 @@
$pdo = Db::pdo();
if ($_SESSION["uid"]) {
if (!defined('_SKIP_SESSION_ADDRESS_CHECKS') || !_SKIP_SESSION_ADDRESS_CHECKS) {
if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) {
$_SESSION["login_error_msg"] = __("Session failed to validate.");
return false;
}
}
if ($_SESSION["user_agent"] != sha1($_SERVER['HTTP_USER_AGENT'])) {
$_SESSION["login_error_msg"] = __("Session failed to validate.");
return false;
}
$sth = $pdo->prepare("SELECT pwd_hash FROM ttrss_users WHERE id = ?");
$sth->execute([$_SESSION['uid']]);