]> git.wh0rd.org Git - tt-rss.git/commitdiff
validate session on startup
authorAndrew Dolgov <fox@fakecake.org>
Sun, 31 Mar 2013 09:10:46 +0000 (13:10 +0400)
committerAndrew Dolgov <fox@fakecake.org>
Sun, 31 Mar 2013 09:10:46 +0000 (13:10 +0400)
include/functions.php
include/sessions.php

index ea69b5f38b20223a4a0d4ecb893430487936f158..b9c30c6ce67d49bc082ebea9024a03b36faabd6a 100644 (file)
                return $csrf_token == $_SESSION['csrf_token'];
        }
 
-       function validate_session($link) {
-               if (SINGLE_USER_MODE) return true;
-
-               $check_ip = $_SESSION['ip_address'];
-
-               switch (SESSION_CHECK_ADDRESS) {
-               case 0:
-                       $check_ip = '';
-                       break;
-               case 1:
-                       $check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1);
-                       break;
-               case 2:
-                       $check_ip = substr($check_ip, 0, strrpos($check_ip, '.'));
-                       $check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1);
-                       break;
-               };
-
-               if ($check_ip && strpos($_SERVER['REMOTE_ADDR'], $check_ip) !== 0) {
-                       $_SESSION["login_error_msg"] =
-                               __("Session failed to validate (incorrect IP)");
-                       return false;
-               }
-
-               if ($_SESSION["ref_schema_version"] != get_schema_version($link, true))
-                       return false;
-
-               if ($_SESSION["uid"]) {
-
-                       $result = db_query($link,
-                               "SELECT pwd_hash FROM ttrss_users WHERE id = '".$_SESSION["uid"]."'");
-
-                       $pwd_hash = db_fetch_result($result, 0, "pwd_hash");
-
-                       if ($pwd_hash != $_SESSION["pwd_hash"]) {
-                               return false;
-                       }
-               }
-
-/*             if ($_SESSION["cookie_lifetime"] && $_SESSION["uid"]) {
-
-                       //print_r($_SESSION);
-
-                       if (time() > $_SESSION["cookie_lifetime"]) {
-                               return false;
-                       }
-               } */
-
-               return true;
-       }
-
        function load_user_plugins($link, $owner_uid) {
                if ($owner_uid) {
                        $plugins = get_pref($link, "_ENABLED_PLUGINS", $owner_uid);
index 727d955d03d0639651758c94b762bba7e6cfa2a6..81a5a73836879dbccb254c80ed073f26c3a69d37 100644 (file)
        ini_set("session.use_only_cookies", true);
        ini_set("session.gc_maxlifetime", $session_expire);
 
+       function session_get_schema_version($link, $nocache = false) {
+               global $schema_version;
+
+               if (!$schema_version) {
+                       $result = db_query($link, "SELECT schema_version FROM ttrss_version");
+                       $version = db_fetch_result($result, 0, "schema_version");
+                       $schema_version = $version;
+                       return $version;
+               } else {
+                       return $schema_version;
+               }
+       }
+
+       function validate_session($link) {
+               if (SINGLE_USER_MODE) return true;
+
+               $check_ip = $_SESSION['ip_address'];
+
+               switch (SESSION_CHECK_ADDRESS) {
+               case 0:
+                       $check_ip = '';
+                       break;
+               case 1:
+                       $check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1);
+                       break;
+               case 2:
+                       $check_ip = substr($check_ip, 0, strrpos($check_ip, '.'));
+                       $check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1);
+                       break;
+               };
+
+               if ($check_ip && strpos($_SERVER['REMOTE_ADDR'], $check_ip) !== 0) {
+                       $_SESSION["login_error_msg"] =
+                               __("Session failed to validate (incorrect IP)");
+                       return false;
+               }
+
+               if ($_SESSION["ref_schema_version"] != session_get_schema_version($link, true))
+                       return false;
+
+               if ($_SESSION["uid"]) {
+                       $result = db_query($link,
+                               "SELECT pwd_hash FROM ttrss_users WHERE id = '".$_SESSION["uid"]."'");
+
+                       // user not found
+                       if (db_num_rows($result) == 0) {
+                               return false;
+                       } else {
+                               $pwd_hash = db_fetch_result($result, 0, "pwd_hash");
+
+                               if ($pwd_hash != $_SESSION["pwd_hash"]) {
+                                       return false;
+                               }
+                       }
+               }
+
+/*             if ($_SESSION["cookie_lifetime"] && $_SESSION["uid"]) {
+
+                       //print_r($_SESSION);
+
+                       if (time() > $_SESSION["cookie_lifetime"]) {
+                               return false;
+                       }
+               } */
+
+               return true;
+       }
+
+
        function ttrss_open ($s, $n) {
 
                global $session_connection;
                if (isset($_COOKIE[$session_name])) {
                        @session_start();
 
-                       if (!isset($_SESSION["uid"]) || !$_SESSION["uid"]) {
+                       if (!isset($_SESSION["uid"]) || !$_SESSION["uid"] || !validate_session($session_connection)) {
                                session_destroy();
                           setcookie(session_name(), '', time()-42000, '/');
                        }