make SESSION_CHECK_ADDRESS work on generic sessions

author Andrew Dolgov <fox@bah.spb.su>

Sat, 4 Mar 2006 13:30:50 +0000 (14:30 +0100)

committer Andrew Dolgov <fox@bah.spb.su>

Sat, 4 Mar 2006 13:30:50 +0000 (14:30 +0100)
author Andrew Dolgov <fox@bah.spb.su>
Sat, 4 Mar 2006 13:30:50 +0000 (14:30 +0100)
committer Andrew Dolgov <fox@bah.spb.su>
Sat, 4 Mar 2006 13:30:50 +0000 (14:30 +0100)
diff --git a/config.php-dist b/config.php-dist

index 9b05db94c0bc35fcc0bc15d10519c6913ec10a62..c8d33b4c1b46e12d950b972d97f9182451265550 100644 (file)
--- a/config.php-dist
+++ b/config.php-dist
@@ -105,7 +105,7 @@
         // Uses default PHP session storing mechanism if disabled
  
         define('SESSION_CHECK_ADDRESS', true);
-       // Bind sessions to specific IP address (requires DATABASE_BACKED_SESSIONS)
+       // Bind session to client IP address (recommended)
  
         define('SESSION_COOKIE_LIFETIME', 0);
         // Default lifetime of a session cookie. In seconds, 
diff --git a/functions.php b/functions.php

index acbc3d31e111fbc79d112d5d1a5c58e240be05d3..931774cfdf89b427cacc3e7788f6508b2c0edc68 100644 (file)
--- a/functions.php
+++ b/functions.php
@@ -754,6 +754,7 @@
                         $user_theme = get_user_theme_path($link);
  
                         $_SESSION["theme"] = $user_theme;
+                       $_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"];
  
                         initialize_user_prefs($link, $_SESSION["uid"]);
  
@@ -828,9 +829,28 @@
                 return $redirect_uri;
         }
  
+       function validate_session($link) {
+               if (SESSION_CHECK_ADDRESS && !DATABASE_BACKED_SESSIONS && $_SESSION["uid"]) {
+                       if ($_SESSION["ip_address"]) {
+                               if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) {
+                                       return false;
+                               }
+                       }
+               }
+               return true;
+       }
+
         function login_sequence($link) {
                 if (!SINGLE_USER_MODE) {
  
+                       if (!validate_session($link)) {
+                               logout_user();
+                               $redirect_uri = get_login_redirect();
+                               $return_to = preg_replace('/.*?\//', '', $_SERVER["REQUEST_URI"]);
+                               header("Location: $redirect_uri?rt=$return_to");
+                               exit;
+                       }
+
                         if (!USE_HTTP_AUTH) {
                                 if (!$_SESSION["uid"]) {
                                         $redirect_uri = get_login_redirect();
author	Andrew Dolgov <fox@bah.spb.su>
	Sat, 4 Mar 2006 13:30:50 +0000 (14:30 +0100)
committer	Andrew Dolgov <fox@bah.spb.su>
	Sat, 4 Mar 2006 13:30:50 +0000 (14:30 +0100)
config.php-dist		patch \| blob \| blame \| history
functions.php		patch \| blob \| blame \| history