aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2014-05-11 22:01:53 -0700
committerfriendica <info@friendica.com>2014-05-11 22:01:53 -0700
commitef5ffad69073ca047beeed23c508def4e1843922 (patch)
treee78a53551e71283e40b51d573b7c793e9a60e41b
parent3eae3fd496abcd843d18a36e042f2185527d8803 (diff)
downloadvolse-hubzilla-ef5ffad69073ca047beeed23c508def4e1843922.tar.gz
volse-hubzilla-ef5ffad69073ca047beeed23c508def4e1843922.tar.bz2
volse-hubzilla-ef5ffad69073ca047beeed23c508def4e1843922.zip
log IP mis-matches even if paranoia isn't set.
-rw-r--r--include/auth.php15
1 files changed, 8 insertions, 7 deletions
diff --git a/include/auth.php b/include/auth.php
index c21705c99..e8f13d0fb 100644
--- a/include/auth.php
+++ b/include/auth.php
@@ -117,13 +117,14 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
// first check if we're enforcing that sessions can't change IP address
- $check = get_config('system','paranoia');
- // extra paranoia - if the IP changed, log them out
- if($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) {
- logger('Session address changed. Paranoid setting in effect, blocking session. '
- . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
- nuke_session();
- goaway(z_root());
+ if($_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) {
+ logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
+ if(get_config('system','paranoia')) {
+ logger('Session address changed. Paranoid setting in effect, blocking session. '
+ . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
+ nuke_session();
+ goaway(z_root());
+ }
}
$r = q("select * from account where account_id = %d limit 1",