$session_name = (!defined('TTRSS_SESSION_NAME')) ? "ttrss_sid" : TTRSS_SESSION_NAME;
if (is_server_https()) {
- $session_name .= "_ssl";
ini_set("session.cookie_secure", true);
}
$pdo = Db::pdo();
if ($_SESSION["uid"]) {
+
+ if ($_SESSION["user_agent"] != sha1($_SERVER['HTTP_USER_AGENT'])) {
+ $_SESSION["login_error_msg"] = __("Session failed to validate (UA changed).");
+ return false;
+ }
+
$sth = $pdo->prepare("SELECT pwd_hash FROM ttrss_users WHERE id = ?");
$sth->execute([$_SESSION['uid']]);