sessions: stop validating against hash of user agent because chromium is sending
different agent headers for whatever reason, example: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36 seems to be related, at least, to App.postOpenWindow() hack.
This commit is contained in:
parent
98c75a9e43
commit
fe06416f17
|
@ -48,7 +48,6 @@ class UserHelper {
|
|||
$_SESSION["access_level"] = $user->access_level;
|
||||
$_SESSION["csrf_token"] = bin2hex(get_random_bytes(16));
|
||||
$_SESSION["ip_address"] = UserHelper::get_user_ip();
|
||||
$_SESSION["user_agent"] = sha1($_SERVER['HTTP_USER_AGENT']);
|
||||
$_SESSION["pwd_hash"] = $user->pwd_hash;
|
||||
|
||||
$user->last_login = Db::NOW();
|
||||
|
|
|
@ -22,35 +22,18 @@
|
|||
function validate_session() {
|
||||
if (\Config::get(\Config::SINGLE_USER_MODE)) return true;
|
||||
|
||||
/* if (isset($_SESSION["ref_schema_version"]) && $_SESSION["ref_schema_version"] != \Config::get_schema_version()) {
|
||||
$_SESSION["login_error_msg"] =
|
||||
__("Session failed to validate (schema version changed)");
|
||||
return false;
|
||||
} */
|
||||
|
||||
$pdo = \Db::pdo();
|
||||
|
||||
if (!empty($_SESSION["uid"])) {
|
||||
|
||||
if ($_SESSION["user_agent"] != sha1($_SERVER['HTTP_USER_AGENT'])) {
|
||||
$_SESSION["login_error_msg"] = __("Session failed to validate (UA changed).");
|
||||
return false;
|
||||
}
|
||||
|
||||
$user = \ORM::for_table('ttrss_users')->find_one($_SESSION["uid"]);
|
||||
|
||||
if ($user) {
|
||||
if ($user->pwd_hash != $_SESSION["pwd_hash"]) {
|
||||
|
||||
$_SESSION["login_error_msg"] =
|
||||
__("Session failed to validate (password changed)");
|
||||
|
||||
$_SESSION["login_error_msg"] = __("Session failed to validate (password changed)");
|
||||
return false;
|
||||
}
|
||||
} else {
|
||||
$_SESSION["login_error_msg"] =
|
||||
__("Session failed to validate (user not found)");
|
||||
|
||||
$_SESSION["login_error_msg"] = __("Session failed to validate (user not found)");
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue