aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFriendika <info@friendika.com>2010-11-29 23:16:14 -0800
committerFriendika <info@friendika.com>2010-11-29 23:16:14 -0800
commit67e827e128a4c446b89f581793f64fd0f1299389 (patch)
tree80bdd6d60f1340933f0c8884285725303fe4d54a
parent3672335decff66669ef7a9411fa3ae12f9c5feeb (diff)
downloadvolse-hubzilla-67e827e128a4c446b89f581793f64fd0f1299389.tar.gz
volse-hubzilla-67e827e128a4c446b89f581793f64fd0f1299389.tar.bz2
volse-hubzilla-67e827e128a4c446b89f581793f64fd0f1299389.zip
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in.
-rw-r--r--include/auth.php43
1 files changed, 26 insertions, 17 deletions
diff --git a/include/auth.php b/include/auth.php
index d82bc84d1..dd4afac23 100644
--- a/include/auth.php
+++ b/include/auth.php
@@ -1,20 +1,29 @@
<?php
+
+function nuke_session() {
+ unset($_SESSION['authenticated']);
+ unset($_SESSION['uid']);
+ unset($_SESSION['visitor_id']);
+ unset($_SESSION['administrator']);
+ unset($_SESSION['cid']);
+ unset($_SESSION['theme']);
+ unset($_SESSION['page_flags']);
+}
+
+
// login/logout
+
+
+
if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-params'))) || ($_POST['auth-params'] !== 'login'))) {
if(((x($_POST,'auth-params')) && ($_POST['auth-params'] === 'logout')) || ($a->module === 'logout')) {
// process logout request
- unset($_SESSION['authenticated']);
- unset($_SESSION['uid']);
- unset($_SESSION['visitor_id']);
- unset($_SESSION['administrator']);
- unset($_SESSION['cid']);
- unset($_SESSION['theme']);
- unset($_SESSION['page_flags']);
+ nuke_session();
notice( t('Logged out.') . EOL);
goaway($a->get_baseurl());
}
@@ -23,13 +32,19 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
// already logged in user returning
+ $check = get_config('system','paranoia');
+ // extra paranoia - if the IP changed, log them out
+ if($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) {
+ nuke_session();
+ goaway($a->get_baseurl());
+ }
+
$r = q("SELECT * FROM `user` WHERE `uid` = %d LIMIT 1",
intval($_SESSION['uid'])
);
if(! count($r)) {
- unset($_SESSION['authenticated']);
- unset($_SESSION['uid']);
+ nuke_session();
goaway($a->get_baseurl());
}
@@ -57,14 +72,7 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
else {
if(isset($_SESSION)) {
- unset($_SESSION['authenticated']);
- unset($_SESSION['uid']);
- unset($_SESSION['visitor_id']);
- unset($_SESSION['administrator']);
- unset($_SESSION['cid']);
- unset($_SESSION['theme']);
- unset($_SESSION['my_url']);
- unset($_SESSION['page_flags']);
+ nuke_session();
}
if((x($_POST,'password')) && strlen($_POST['password']))
@@ -140,6 +148,7 @@ else {
$_SESSION['authenticated'] = 1;
$_SESSION['page_flags'] = $r[0]['page-flags'];
$_SESSION['my_url'] = $a->get_baseurl() . '/profile/' . $r[0]['nickname'];
+ $_SESSION['addr'] = $_SERVER['REMOTE_ADDR'];
notice( t("Welcome back ") . $r[0]['username'] . EOL);
$a->user = $r[0];