From e6684130735a424559212d065654b66fb8c63d70 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Wed, 12 Sep 2007 04:41:56 +0100 Subject: [PATCH] invalidate session on password change --- functions.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/functions.php b/functions.php index 131dc0db1..a237aff5a 100644 --- a/functions.php +++ b/functions.php @@ -1449,6 +1449,7 @@ $_SESSION["theme"] = $user_theme; $_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"]; + $_SESSION["pwd_hash"] = $pwd_hash; initialize_user_prefs($link, $_SESSION["uid"]); @@ -1534,6 +1535,18 @@ } } + if ($_SESSION["uid"]) { + + $result = db_query($link, + "SELECT pwd_hash FROM ttrss_users WHERE id = '".$_SESSION["uid"]."'"); + + $pwd_hash = db_fetch_result($result, 0, "pwd_hash"); + + if ($pwd_hash != $_SESSION["pwd_hash"]) { + return false; + } + } + /* if ($_SESSION["cookie_lifetime"] && $_SESSION["uid"]) { //print_r($_SESSION);