validate_session: check for user agent

diff --git a/include/functions.php b/include/functions.php
index e86c9747428aeec58bfddf753cf3bb797ce4cbbe..ece6d1b9155cc2d2f872ca052805ead05ad308d2 100644 (file)
--- a/include/functions.php
+++ b/include/functions.php
@@ -621,6 +621,7 @@
                                        $_SESSION["uid"]);
 
                                $_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"];
+                               $_SESSION["user_agent"] = sha1($_SERVER['HTTP_USER_AGENT']);
                                $_SESSION["pwd_hash"] = db_fetch_result($result, 0, "pwd_hash");
 
                                $_SESSION["last_version_check"] = time();

diff --git a/include/sessions.php b/include/sessions.php
index 81a5a73836879dbccb254c80ed073f26c3a69d37..778d00e3aef2a92b7cf84dec036f7a679310ea9e 100644 (file)
--- a/include/sessions.php
+++ b/include/sessions.php
@@ -57,6 +57,9 @@
                if ($_SESSION["ref_schema_version"] != session_get_schema_version($link, true))
                        return false;
 
+               if (sha1($_SERVER['HTTP_USER_AGENT']) != $_SESSION["user_agent"])
+                       return false;
+
                if ($_SESSION["uid"]) {
                        $result = db_query($link,
                                "SELECT pwd_hash FROM ttrss_users WHERE id = '".$_SESSION["uid"]."'");