From: Andrew Dolgov <noreply@fakecake.org>
Date: Fri, 21 Aug 2015 06:02:16 +0000 (+0300)
Subject: remove SESSION_CHECK_ADDRESS
X-Git-Tag: 16.3~123^2
X-Git-Url: https://git.wh0rd.org/?p=tt-rss.git;a=commitdiff_plain;h=f5e66c439e9c8881d745499243341b4095274c12

remove SESSION_CHECK_ADDRESS
---

diff --git a/config.php-dist b/config.php-dist
index 311b94df..2eaaab61 100644
--- a/config.php-dist
+++ b/config.php-dist
@@ -141,13 +141,6 @@
 	// Default lifetime of a session (e.g. login) cookie. In seconds, 
 	// 0 means cookie will be deleted when browser closes.
 
-	define('SESSION_CHECK_ADDRESS', 1);
-	// Check client IP address when validating session:
-	// 0 - disable checking
-	// 1 - check first 3 octets of an address (recommended)
-	// 2 - check first 2 octets of an address
-	// 3 - check entire address
-
 	// *********************************
 	// *** Email and digest settings ***
 	// *********************************
diff --git a/include/sessions.php b/include/sessions.php
index 30d50264..c0ec64c3 100644
--- a/include/sessions.php
+++ b/include/sessions.php
@@ -39,41 +39,12 @@
 	function validate_session() {
 		if (SINGLE_USER_MODE) return true;
 
-		//if (VERSION_STATIC != $_SESSION["version"]) return false;
-
-		$check_ip = $_SESSION['ip_address'];
-
-		switch (SESSION_CHECK_ADDRESS) {
-		case 0:
-			$check_ip = '';
-			break;
-		case 1:
-			$check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1);
-			break;
-		case 2:
-			$check_ip = substr($check_ip, 0, strrpos($check_ip, '.'));
-			$check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1);
-			break;
-		};
-
-		if ($check_ip && strpos($_SERVER['REMOTE_ADDR'], $check_ip) !== 0) {
-			$_SESSION["login_error_msg"] =
-				__("Session failed to validate (incorrect IP)");
-			return false;
-		}
-
 		if (isset($_SESSION["ref_schema_version"]) && $_SESSION["ref_schema_version"] != session_get_schema_version(true)) {
 			$_SESSION["login_error_msg"] =
 				__("Session failed to validate (schema version changed)");
 			return false;
 		}
 
-		/* if (sha1($_SERVER['HTTP_USER_AGENT']) != $_SESSION["user_agent"]) {
-			$_SESSION["login_error_msg"] =
-				__("Session failed to validate (user agent changed)");
-			return false;
-		} */
-
 		if ($_SESSION["uid"]) {
 			$result = Db::get()->query(
 				"SELECT pwd_hash FROM ttrss_users WHERE id = '".$_SESSION["uid"]."'");