make SESSION_CHECK_ADDRESS work on generic sessions

This commit is contained in:
Andrew Dolgov 2006-03-04 14:30:50 +01:00
parent ff6519f854
commit 916f788a94
2 changed files with 21 additions and 1 deletions

View file

@ -105,7 +105,7 @@
// Uses default PHP session storing mechanism if disabled // Uses default PHP session storing mechanism if disabled
define('SESSION_CHECK_ADDRESS', true); define('SESSION_CHECK_ADDRESS', true);
// Bind sessions to specific IP address (requires DATABASE_BACKED_SESSIONS) // Bind session to client IP address (recommended)
define('SESSION_COOKIE_LIFETIME', 0); define('SESSION_COOKIE_LIFETIME', 0);
// Default lifetime of a session cookie. In seconds, // Default lifetime of a session cookie. In seconds,

View file

@ -754,6 +754,7 @@
$user_theme = get_user_theme_path($link); $user_theme = get_user_theme_path($link);
$_SESSION["theme"] = $user_theme; $_SESSION["theme"] = $user_theme;
$_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"];
initialize_user_prefs($link, $_SESSION["uid"]); initialize_user_prefs($link, $_SESSION["uid"]);
@ -828,9 +829,28 @@
return $redirect_uri; return $redirect_uri;
} }
function validate_session($link) {
if (SESSION_CHECK_ADDRESS && !DATABASE_BACKED_SESSIONS && $_SESSION["uid"]) {
if ($_SESSION["ip_address"]) {
if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) {
return false;
}
}
}
return true;
}
function login_sequence($link) { function login_sequence($link) {
if (!SINGLE_USER_MODE) { if (!SINGLE_USER_MODE) {
if (!validate_session($link)) {
logout_user();
$redirect_uri = get_login_redirect();
$return_to = preg_replace('/.*?\//', '', $_SERVER["REQUEST_URI"]);
header("Location: $redirect_uri?rt=$return_to");
exit;
}
if (!USE_HTTP_AUTH) { if (!USE_HTTP_AUTH) {
if (!$_SESSION["uid"]) { if (!$_SESSION["uid"]) {
$redirect_uri = get_login_redirect(); $redirect_uri = get_login_redirect();