// configurations. Doesn't seem to work for everyone, so enable with caution.
// tt-rss uses default PHP session storing mechanism if disabled.
- define('SESSION_CHECK_ADDRESS', true);
- // Bind session to client IP address (recommended)
+ define('SESSION_CHECK_ADDRESS', 1);
+ // Check client IP address when validating session:
+ // 0 - disable checking
+ // 1 - check first 3 octets of an address (recommended)
+ // 2 - check first 2 octets of an address
+ // 3 - check entire address
define('SESSION_COOKIE_LIFETIME', 0);
// Default lifetime of a session (e.g. login) cookie. In seconds,
}
function validate_session($link) {
- if (SINGLE_USER_MODE) {
- return true;
- }
+ if (SINGLE_USER_MODE) return true;
- if (SESSION_CHECK_ADDRESS && $_SESSION["uid"]) {
- if ($_SESSION["ip_address"]) {
- if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) {
- $_SESSION["login_error_msg"] = __("Session failed to validate (incorrect IP)");
- return false;
- }
- }
- }
+ $check_ip = $_SESSION['ip_address'];
- if ($_SESSION["ref_schema_version"] != get_schema_version($link, true)) {
+ switch (SESSION_CHECK_ADDRESS) {
+ case 0:
+ $check_ip = '';
+ break;
+ case 1:
+ $check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1);
+ break;
+ case 2:
+ $check_ip = substr($check_ip, 0, strrpos($check_ip, '.'));
+ $check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1);
+ break;
+ };
+
+ if ($check_ip && strpos($_SERVER['REMOTE_ADDR'], $check_ip) !== 0)
+ $_SESSION["login_error_msg"] =
+ __("Session failed to validate (incorrect IP)");
+
+ if ($_SESSION["ref_schema_version"] != get_schema_version($link, true))
return false;
- }
if ($_SESSION["uid"]) {