do not use separate _ssl cookie for secure sessions

[tt-rss.git] / include / sessions.php

diff --git a/include/sessions.php b/include/sessions.php
index c80c21de3a24cc6314f4fe8164c0313363f29cfb..b79988d987d2d033b6016694a6c9b49adb836923 100644 (file)
--- a/include/sessions.php
+++ b/include/sessions.php
@@ -13,7 +13,6 @@
        $session_name = (!defined('TTRSS_SESSION_NAME')) ? "ttrss_sid" : TTRSS_SESSION_NAME;
 
        if (is_server_https()) {
-               $session_name .= "_ssl";
                ini_set("session.cookie_secure", true);
        }
 
@@ -49,6 +48,19 @@
         $pdo = Db::pdo();
 
                if ($_SESSION["uid"]) {
+
+                       if (!defined('_SKIP_SESSION_ADDRESS_CHECKS') || !_SKIP_SESSION_ADDRESS_CHECKS) {
+                               if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) {
+                                       $_SESSION["login_error_msg"] = __("Session failed to validate.");
+                                       return false;
+                               }
+                       }
+
+                       if ($_SESSION["user_agent"] != sha1($_SERVER['HTTP_USER_AGENT'])) {
+                               $_SESSION["login_error_msg"] = __("Session failed to validate.");
+                               return false;
+                       }
+
                        $sth = $pdo->prepare("SELECT pwd_hash FROM ttrss_users WHERE id = ?");
                        $sth->execute([$_SESSION['uid']]);