validate_session: bring back IP session binding (enabled by default) and UA checking
This commit is contained in:
parent
8064ca3f8c
commit
7d53c2b501
|
@ -49,6 +49,19 @@
|
||||||
$pdo = Db::pdo();
|
$pdo = Db::pdo();
|
||||||
|
|
||||||
if ($_SESSION["uid"]) {
|
if ($_SESSION["uid"]) {
|
||||||
|
|
||||||
|
if (!defined('_SKIP_SESSION_ADDRESS_CHECKS') || !_SKIP_SESSION_ADDRESS_CHECKS) {
|
||||||
|
if ($_SESSION["ip_address"] != $_SERVER["REMOTE_ADDR"]) {
|
||||||
|
$_SESSION["login_error_msg"] = __("Session failed to validate.");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($_SESSION["user_agent"] != sha1($_SERVER['HTTP_USER_AGENT'])) {
|
||||||
|
$_SESSION["login_error_msg"] = __("Session failed to validate.");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
$sth = $pdo->prepare("SELECT pwd_hash FROM ttrss_users WHERE id = ?");
|
$sth = $pdo->prepare("SELECT pwd_hash FROM ttrss_users WHERE id = ?");
|
||||||
$sth->execute([$_SESSION['uid']]);
|
$sth->execute([$_SESSION['uid']]);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue