invalidate session on password change

diff --git a/functions.php b/functions.php
index 131dc0db1d05c9f6c8298f2aa1a0306aae33e75a..a237aff5aacae5104bc32d240cc1bee22548c7a5 100644 (file)
--- a/functions.php
+++ b/functions.php
@@ -1449,6 +1449,7 @@
        
                                $_SESSION["theme"] = $user_theme;
                                $_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"];
+                               $_SESSION["pwd_hash"] = $pwd_hash;
        
                                initialize_user_prefs($link, $_SESSION["uid"]);
        
@@ -1534,6 +1535,18 @@
                        }
                }
 
+               if ($_SESSION["uid"]) {
+
+                       $result = db_query($link, 
+                               "SELECT pwd_hash FROM ttrss_users WHERE id = '".$_SESSION["uid"]."'");
+
+                       $pwd_hash = db_fetch_result($result, 0, "pwd_hash");
+
+                       if ($pwd_hash != $_SESSION["pwd_hash"]) {
+                               return false;
+                       }
+               }
+
 /*             if ($_SESSION["cookie_lifetime"] && $_SESSION["uid"]) {
 
                        //print_r($_SESSION);