From 837ec70e3ee4378f4d7a0a616ad0f291b311152a Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Mon, 1 Apr 2013 18:22:07 +0400 Subject: [PATCH] validate_session: check for user agent --- include/functions.php | 1 + include/sessions.php | 3 +++ 2 files changed, 4 insertions(+) diff --git a/include/functions.php b/include/functions.php index e86c97474..ece6d1b91 100644 --- a/include/functions.php +++ b/include/functions.php @@ -621,6 +621,7 @@ $_SESSION["uid"]); $_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"]; + $_SESSION["user_agent"] = sha1($_SERVER['HTTP_USER_AGENT']); $_SESSION["pwd_hash"] = db_fetch_result($result, 0, "pwd_hash"); $_SESSION["last_version_check"] = time(); diff --git a/include/sessions.php b/include/sessions.php index 81a5a7383..778d00e3a 100644 --- a/include/sessions.php +++ b/include/sessions.php @@ -57,6 +57,9 @@ if ($_SESSION["ref_schema_version"] != session_get_schema_version($link, true)) return false; + if (sha1($_SERVER['HTTP_USER_AGENT']) != $_SESSION["user_agent"]) + return false; + if ($_SESSION["uid"]) { $result = db_query($link, "SELECT pwd_hash FROM ttrss_users WHERE id = '".$_SESSION["uid"]."'");