From: Andrew Dolgov Date: Thu, 2 Mar 2006 08:32:44 +0000 (+0100) Subject: new option: SESSION_CHECK_ADDRESS X-Git-Tag: schema_freeze_for_1.1.4~30 X-Git-Url: https://git.wh0rd.org/?a=commitdiff_plain;h=09018e9526843334144d90c1891de2489148f85f;p=tt-rss.git new option: SESSION_CHECK_ADDRESS --- diff --git a/config.php-dist b/config.php-dist index a17c352e..17b2ed53 100644 --- a/config.php-dist +++ b/config.php-dist @@ -104,5 +104,8 @@ // Store session information in a database (recommended) // Uses default PHP session storing mechanism if disabled + define('SESSION_CHECK_ADDRESS', true); + // Bind sessions to specific IP address (requires DATABASE_BACKED_SESSIONS) + // vim:ft=php ?> diff --git a/schema/ttrss_schema_mysql.sql b/schema/ttrss_schema_mysql.sql index 540fc0f2..671577cf 100644 --- a/schema/ttrss_schema_mysql.sql +++ b/schema/ttrss_schema_mysql.sql @@ -259,6 +259,7 @@ create table ttrss_scheduled_updates (id integer not null primary key auto_incre create table ttrss_sessions (id varchar(300) unique not null primary key, data text, expire integer not null, + ip_address varchar(15) not null default '', index (id), index (expire)) TYPE=InnoDB; diff --git a/schema/ttrss_schema_pgsql.sql b/schema/ttrss_schema_pgsql.sql index c6bc4521..e393353a 100644 --- a/schema/ttrss_schema_pgsql.sql +++ b/schema/ttrss_schema_pgsql.sql @@ -232,8 +232,9 @@ create table ttrss_scheduled_updates (id serial not null primary key, entered timestamp not null default NOW()); create table ttrss_sessions (id varchar(300) unique not null primary key, - data text, - expire integer not null); + data text, + expire integer not null, + ip_address varchar(15) not null default ''); create index ttrss_sessions_expire_index on ttrss_sessions(expire); diff --git a/schema/upgrade-1.1.3-1.1.4-mysql.sql b/schema/upgrade-1.1.3-1.1.4-mysql.sql index 32b45e89..37b3674d 100644 --- a/schema/upgrade-1.1.3-1.1.4-mysql.sql +++ b/schema/upgrade-1.1.3-1.1.4-mysql.sql @@ -8,6 +8,7 @@ alter table ttrss_entries alter column author set default ''; create table ttrss_sessions (id varchar(300) unique not null primary key, data text, expire integer not null, + ip_address varchar(15) not null default '', index (id), index (expire)) TYPE=InnoDB; diff --git a/schema/upgrade-1.1.3-1.1.4-pgsql.sql b/schema/upgrade-1.1.3-1.1.4-pgsql.sql index d1d310f3..0191d6ed 100644 --- a/schema/upgrade-1.1.3-1.1.4-pgsql.sql +++ b/schema/upgrade-1.1.3-1.1.4-pgsql.sql @@ -9,7 +9,8 @@ alter table ttrss_entries alter column author set default ''; create table ttrss_sessions (id varchar(300) unique not null primary key, data text, - expire integer not null); + expire integer not null, + ip_address varchar(15) not null default ''); create index ttrss_sessions_id_index on ttrss_sessions(id); create index ttrss_sessions_expire_index on ttrss_sessions(expire); diff --git a/sessions.php b/sessions.php index 54b862a3..3d931d96 100644 --- a/sessions.php +++ b/sessions.php @@ -22,7 +22,13 @@ global $session_connection,$session_read; - $query = "SELECT data FROM ttrss_sessions WHERE id='$id'"; + $ip_address = $_SERVER["REMOTE_ADDR"]; + + if (SESSION_CHECK_ADDRESS) { + $address_check_qpart = " AND ip_address = '$ip_address'"; + } + + $query = "SELECT data FROM ttrss_sessions WHERE id='$id' $address_check_qpart"; $res = db_query($session_connection, $query); @@ -47,12 +53,18 @@ $data = db_escape_string(base64_encode($data), $session_connection); + $ip_address = $_SERVER["REMOTE_ADDR"]; + + if (SESSION_CHECK_ADDRESS) { + $address_check_qpart = " AND ip_address = '$ip_address'"; + } + if ($session_read) { $query = "UPDATE ttrss_sessions SET data='$data', - expire='$expire' WHERE id='$id'"; + expire='$expire' WHERE id='$id' $address_check_qpart"; } else { - $query = "INSERT INTO ttrss_sessions (id, data, expire) - VALUES ('$id', '$data', '$expire')"; + $query = "INSERT INTO ttrss_sessions (id, data, expire, ip_address) + VALUES ('$id', '$data', '$expire', '$ip_address')"; } db_query($session_connection, $query); @@ -71,8 +83,14 @@ function destroy ($id) { global $session_connection; - - $query = "DELETE FROM ttrss_sessions WHERE id = '$id'"; + + $ip_address = $_SERVER["REMOTE_ADDR"]; + + if (SESSION_CHECK_ADDRESS) { + $address_check_qpart = " AND ip_address = '$ip_address'"; + } + + $query = "DELETE FROM ttrss_sessions WHERE id = '$id' $address_check_qpart"; db_query($session_connection, $query);