pngcrush.sh

[tt-rss.git] / include / sessions.php

diff --git a/include/sessions.php b/include/sessions.php
index c80c21de3a24cc6314f4fe8164c0313363f29cfb..c27eb98b05ad6806b8723db864232cfc8964cbcb 100644 (file)
--- a/include/sessions.php
+++ b/include/sessions.php
@@ -13,7 +13,6 @@
        $session_name = (!defined('TTRSS_SESSION_NAME')) ? "ttrss_sid" : TTRSS_SESSION_NAME;
 
        if (is_server_https()) {
-               $session_name .= "_ssl";
                ini_set("session.cookie_secure", true);
        }
 
@@ -46,29 +45,35 @@
                                __("Session failed to validate (schema version changed)");
                        return false;
                }
-        $pdo = Db::pdo();
+                 $pdo = Db::pdo();
 
                if ($_SESSION["uid"]) {
+
+                       if ($_SESSION["user_agent"] != sha1($_SERVER['HTTP_USER_AGENT'])) {
+                               $_SESSION["login_error_msg"] = __("Session failed to validate (UA changed).");
+                               return false;
+                       }
+
                        $sth = $pdo->prepare("SELECT pwd_hash FROM ttrss_users WHERE id = ?");
                        $sth->execute([$_SESSION['uid']]);
 
                        // user not found
                        if ($row = $sth->fetch()) {
-                $pwd_hash = $row["pwd_hash"];
+                                        $pwd_hash = $row["pwd_hash"];
 
-                if ($pwd_hash != $_SESSION["pwd_hash"]) {
+                                        if ($pwd_hash != $_SESSION["pwd_hash"]) {
 
-                    $_SESSION["login_error_msg"] =
-                        __("Session failed to validate (password changed)");
+                                                 $_SESSION["login_error_msg"] =
+                                                               __("Session failed to validate (password changed)");
 
-                    return false;
-                }
+                                                 return false;
+                                        }
                        } else {
 
-                $_SESSION["login_error_msg"] =
-                    __("Session failed to validate (user not found)");
+                                        $_SESSION["login_error_msg"] =
+                                                 __("Session failed to validate (user not found)");
 
-                return false;
+                                        return false;
 
                        }
                }
@@ -90,16 +95,16 @@
                $sth->execute([$id]);
 
                if ($row = $sth->fetch()) {
-            return base64_decode($row["data"]);
+                               return base64_decode($row["data"]);
 
                } else {
-            $expire = time() + $session_expire;
+                               $expire = time() + $session_expire;
 
-            $sth = Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)
+                               $sth = Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)
                                        VALUES (?, '', ?)");
-            $sth->execute([$id, $expire]);
+                               $sth->execute([$id, $expire]);
 
-            return "";
+                               return "";
 
                }
 
@@ -111,8 +116,17 @@
                $data = base64_encode($data);
                $expire = time() + $session_expire;
 
-        $sth = Db::pdo()->prepare("UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?");
-        $sth->execute([$data, $expire, $id]);
+               $sth = Db::pdo()->prepare("SELECT id FROM ttrss_sessions WHERE id=?");
+               $sth->execute([$id]);
+
+               if ($row = $sth->fetch()) {
+                       $sth = Db::pdo()->prepare("UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?");
+                       $sth->execute([$data, $expire, $id]);
+               } else {
+                       $sth = Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)
+                               VALUES (?, ?, ?)");
+                       $sth->execute([$id, $data, $expire]);
+               }
 
                return true;
        }