X-Git-Url: https://git.wh0rd.org/?a=blobdiff_plain;f=include%2Fsessions.php;h=2d17bfd8e388363edef677662e8ac4db944649f2;hb=74736fce0f89efbaa971e6817303e8840c4aed8f;hp=c80c21de3a24cc6314f4fe8164c0313363f29cfb;hpb=4d13514dd4b1ce9fb7e2ce138cbfa50bb6292290;p=tt-rss.git

diff --git a/include/sessions.php b/include/sessions.php
index c80c21de..2d17bfd8 100644
--- a/include/sessions.php
+++ b/include/sessions.php
@@ -49,6 +49,19 @@
         $pdo = Db::pdo();
 
 		if ($_SESSION["uid"]) {
+
+			if (!defined('_SKIP_SESSION_ADDRESS_CHECKS') || !_SKIP_SESSION_ADDRESS_CHECKS) {
+				if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) {
+					$_SESSION["login_error_msg"] = __("Session failed to validate.");
+					return false;
+				}
+			}
+
+			if ($_SESSION["user_agent"] != sha1($_SERVER['HTTP_USER_AGENT'])) {
+				$_SESSION["login_error_msg"] = __("Session failed to validate.");
+				return false;
+			}
+
 			$sth = $pdo->prepare("SELECT pwd_hash FROM ttrss_users WHERE id = ?");
 			$sth->execute([$_SESSION['uid']]);
 
@@ -147,5 +160,9 @@
 	if (!defined('NO_SESSION_AUTOSTART')) {
 		if (isset($_COOKIE[session_name()])) {
 			@session_start();
+
+			if (!$_SESSION['uid']) {
+				logout_user();
+			}
 		}
 	}