invalidate session on password change

This commit is contained in:
Andrew Dolgov 2007-09-12 04:41:56 +01:00
parent c32cd48afe
commit e668413073
1 changed files with 13 additions and 0 deletions

View File

@ -1449,6 +1449,7 @@
$_SESSION["theme"] = $user_theme;
$_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"];
$_SESSION["pwd_hash"] = $pwd_hash;
initialize_user_prefs($link, $_SESSION["uid"]);
@ -1534,6 +1535,18 @@
}
}
if ($_SESSION["uid"]) {
$result = db_query($link,
"SELECT pwd_hash FROM ttrss_users WHERE id = '".$_SESSION["uid"]."'");
$pwd_hash = db_fetch_result($result, 0, "pwd_hash");
if ($pwd_hash != $_SESSION["pwd_hash"]) {
return false;
}
}
/* if ($_SESSION["cookie_lifetime"] && $_SESSION["uid"]) {
//print_r($_SESSION);