From 916f788a94f19fde62a5f2bf481d9b6f6b91198c Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Sat, 4 Mar 2006 14:30:50 +0100 Subject: [PATCH] make SESSION_CHECK_ADDRESS work on generic sessions --- config.php-dist | 2 +- functions.php | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/config.php-dist b/config.php-dist index 9b05db94..c8d33b4c 100644 --- a/config.php-dist +++ b/config.php-dist @@ -105,7 +105,7 @@ // Uses default PHP session storing mechanism if disabled define('SESSION_CHECK_ADDRESS', true); - // Bind sessions to specific IP address (requires DATABASE_BACKED_SESSIONS) + // Bind session to client IP address (recommended) define('SESSION_COOKIE_LIFETIME', 0); // Default lifetime of a session cookie. In seconds, diff --git a/functions.php b/functions.php index acbc3d31..931774cf 100644 --- a/functions.php +++ b/functions.php @@ -754,6 +754,7 @@ $user_theme = get_user_theme_path($link); $_SESSION["theme"] = $user_theme; + $_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"]; initialize_user_prefs($link, $_SESSION["uid"]); @@ -828,9 +829,28 @@ return $redirect_uri; } + function validate_session($link) { + if (SESSION_CHECK_ADDRESS && !DATABASE_BACKED_SESSIONS && $_SESSION["uid"]) { + if ($_SESSION["ip_address"]) { + if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) { + return false; + } + } + } + return true; + } + function login_sequence($link) { if (!SINGLE_USER_MODE) { + if (!validate_session($link)) { + logout_user(); + $redirect_uri = get_login_redirect(); + $return_to = preg_replace('/.*?\//', '', $_SERVER["REQUEST_URI"]); + header("Location: $redirect_uri?rt=$return_to"); + exit; + } + if (!USE_HTTP_AUTH) { if (!$_SESSION["uid"]) { $redirect_uri = get_login_redirect();