diff --git a/config.php-dist b/config.php-dist index 824b843c7..f3045f70e 100644 --- a/config.php-dist +++ b/config.php-dist @@ -49,8 +49,12 @@ // configurations. Doesn't seem to work for everyone, so enable with caution. // tt-rss uses default PHP session storing mechanism if disabled. - define('SESSION_CHECK_ADDRESS', true); - // Bind session to client IP address (recommended) + define('SESSION_CHECK_ADDRESS', 1); + // Check client IP address when validating session: + // 0 - disable checking + // 1 - check first 3 octets of an address (recommended) + // 2 - check first 2 octets of an address + // 3 - check entire address define('SESSION_COOKIE_LIFETIME', 0); // Default lifetime of a session (e.g. login) cookie. In seconds, diff --git a/functions.php b/functions.php index d874ba3b9..1d37727fe 100644 --- a/functions.php +++ b/functions.php @@ -1901,22 +1901,29 @@ } function validate_session($link) { - if (SINGLE_USER_MODE) { - return true; - } + if (SINGLE_USER_MODE) return true; - if (SESSION_CHECK_ADDRESS && $_SESSION["uid"]) { - if ($_SESSION["ip_address"]) { - if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) { - $_SESSION["login_error_msg"] = __("Session failed to validate (incorrect IP)"); - return false; - } - } - } + $check_ip = $_SESSION['ip_address']; - if ($_SESSION["ref_schema_version"] != get_schema_version($link, true)) { + switch (SESSION_CHECK_ADDRESS) { + case 0: + $check_ip = ''; + break; + case 1: + $check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1); + break; + case 2: + $check_ip = substr($check_ip, 0, strrpos($check_ip, '.')); + $check_ip = substr($check_ip, 0, strrpos($check_ip, '.')+1); + break; + }; + + if ($check_ip && strpos($_SERVER['REMOTE_ADDR'], $check_ip) !== 0) + $_SESSION["login_error_msg"] = + __("Session failed to validate (incorrect IP)"); + + if ($_SESSION["ref_schema_version"] != get_schema_version($link, true)) return false; - } if ($_SESSION["uid"]) {