new option: SESSION_CHECK_ADDRESS

diff --git a/config.php-dist b/config.php-dist
index a17c352e09c0827fd170a0a9cd31d79b0e8594de..17b2ed53f1bcedd20d92305ad9f4637e4a15260b 100644 (file)
--- a/config.php-dist
+++ b/config.php-dist
@@ -104,5 +104,8 @@
        // Store session information in a database (recommended)
        // Uses default PHP session storing mechanism if disabled
 
+       define('SESSION_CHECK_ADDRESS', true);
+       // Bind sessions to specific IP address (requires DATABASE_BACKED_SESSIONS)
+
        // vim:ft=php
 ?>

diff --git a/schema/ttrss_schema_mysql.sql b/schema/ttrss_schema_mysql.sql
index 540fc0f22afdd0db17e5760b2f87c2ad110201e0..671577cf9e84eba2f130eb17f9e7ea9e37dcd76a 100644 (file)
--- a/schema/ttrss_schema_mysql.sql
+++ b/schema/ttrss_schema_mysql.sql
@@ -259,6 +259,7 @@ create table ttrss_scheduled_updates (id integer not null primary key auto_incre
 create table ttrss_sessions (id varchar(300) unique not null primary key,
        data text,
        expire integer not null,
+       ip_address varchar(15) not null default '',
        index (id), 
        index (expire)) TYPE=InnoDB;
 

diff --git a/schema/ttrss_schema_pgsql.sql b/schema/ttrss_schema_pgsql.sql
index c6bc452179c9dcd00e7e6dc5ebf75ec50e89e426..e393353a829fb1d4790551e0e0d5f93bdc11dac0 100644 (file)
--- a/schema/ttrss_schema_pgsql.sql
+++ b/schema/ttrss_schema_pgsql.sql
@@ -232,8 +232,9 @@ create table ttrss_scheduled_updates (id serial not null primary key,
        entered timestamp not null default NOW());
 
 create table ttrss_sessions (id varchar(300) unique not null primary key,
-       data text,
-       expire integer not null);
+       data text,      
+       expire integer not null,
+       ip_address varchar(15) not null default '');
 
 create index ttrss_sessions_expire_index on ttrss_sessions(expire);
 

diff --git a/schema/upgrade-1.1.3-1.1.4-mysql.sql b/schema/upgrade-1.1.3-1.1.4-mysql.sql
index 32b45e897ea4eefee012f665b90555935c7551b0..37b3674dc3386c5835772a90596ff5473a0d8ead 100644 (file)
--- a/schema/upgrade-1.1.3-1.1.4-mysql.sql
+++ b/schema/upgrade-1.1.3-1.1.4-mysql.sql
@@ -8,6 +8,7 @@ alter table ttrss_entries alter column author set default '';
 create table ttrss_sessions (id varchar(300) unique not null primary key,
        data text,
        expire integer not null,
+       ip_address varchar(15) not null default '',
        index (id), 
        index (expire)) TYPE=InnoDB;
 

diff --git a/schema/upgrade-1.1.3-1.1.4-pgsql.sql b/schema/upgrade-1.1.3-1.1.4-pgsql.sql
index d1d310f3d015eaec9530c439f3d1ee5140dfc1cb..0191d6ede48587e44db97d81387b5c1c53bc4bcd 100644 (file)
--- a/schema/upgrade-1.1.3-1.1.4-pgsql.sql
+++ b/schema/upgrade-1.1.3-1.1.4-pgsql.sql
@@ -9,7 +9,8 @@ alter table ttrss_entries alter column author set default '';
 
 create table ttrss_sessions (id varchar(300) unique not null primary key,
        data text,
-       expire integer not null);
+       expire integer not null,
+       ip_address varchar(15) not null default '');
 
 create index ttrss_sessions_id_index on ttrss_sessions(id);
 create index ttrss_sessions_expire_index on ttrss_sessions(expire);

diff --git a/sessions.php b/sessions.php
index 54b862a3984635a6e9a7db3abe80a915eba5d106..3d931d968b5908284a2e3db6a6f3b63805b06c39 100644 (file)
--- a/sessions.php
+++ b/sessions.php
@@ -22,7 +22,13 @@
        
                global $session_connection,$session_read;                                        
 
-               $query = "SELECT data FROM ttrss_sessions WHERE id='$id'";
+               $ip_address = $_SERVER["REMOTE_ADDR"];
+
+               if (SESSION_CHECK_ADDRESS) {
+                       $address_check_qpart = " AND ip_address = '$ip_address'";
+               }
+
+               $query = "SELECT data FROM ttrss_sessions WHERE id='$id' $address_check_qpart";
 
                $res = db_query($session_connection, $query);
                
@@ -47,12 +53,18 @@
                
                $data = db_escape_string(base64_encode($data), $session_connection);
                
+               $ip_address = $_SERVER["REMOTE_ADDR"];
+
+               if (SESSION_CHECK_ADDRESS) {
+                       $address_check_qpart = " AND ip_address = '$ip_address'";
+               }
+               
                if ($session_read) {
                        $query = "UPDATE ttrss_sessions SET data='$data', 
-                                       expire='$expire' WHERE id='$id'"; 
+                                       expire='$expire' WHERE id='$id' $address_check_qpart"; 
                } else {
-                       $query = "INSERT INTO ttrss_sessions (id, data, expire)
-                                       VALUES ('$id', '$data', '$expire')";
+                       $query = "INSERT INTO ttrss_sessions (id, data, expire, ip_address)
+                                       VALUES ('$id', '$data', '$expire', '$ip_address')";
                }
                
                db_query($session_connection, $query);
@@ -71,8 +83,14 @@
        function destroy ($id) {
        
                global $session_connection;
-               
-               $query = "DELETE FROM ttrss_sessions WHERE id = '$id'";
+
+               $ip_address = $_SERVER["REMOTE_ADDR"];
+
+               if (SESSION_CHECK_ADDRESS) {
+                       $address_check_qpart = " AND ip_address = '$ip_address'";
+               }
+
+               $query = "DELETE FROM ttrss_sessions WHERE id = '$id' $address_check_qpart";
                
                db_query($session_connection, $query);