diff options
| author | redmatrix <git@macgirvin.com> | 2016-04-10 19:20:41 -0700 |
|---|---|---|
| committer | redmatrix <git@macgirvin.com> | 2016-04-10 19:20:41 -0700 |
| commit | d1a2aecfa05927b79350500b7c0f9d9b978afbeb (patch) | |
| tree | aac54594d87a07b84481db95cee17115797fb44b /Zotlabs/Web | |
| parent | 0fe495727429dea14e4876c74ceb03fb71b58c29 (diff) | |
| download | volse-hubzilla-d1a2aecfa05927b79350500b7c0f9d9b978afbeb.tar.gz volse-hubzilla-d1a2aecfa05927b79350500b7c0f9d9b978afbeb.tar.bz2 volse-hubzilla-d1a2aecfa05927b79350500b7c0f9d9b978afbeb.zip | |
move more session related stuff such as paranoia handling (IP address changes) into the session object and extend remember_me cookies once a day so that they will never expire (theoretically). The DB session driver will extend its expiration on every session write (in the case of persistent sessions).
Diffstat (limited to 'Zotlabs/Web')
| -rw-r--r-- | Zotlabs/Web/Session.php | 59 |
1 files changed, 57 insertions, 2 deletions
diff --git a/Zotlabs/Web/Session.php b/Zotlabs/Web/Session.php index d25ce5f6a..e5fe47386 100644 --- a/Zotlabs/Web/Session.php +++ b/Zotlabs/Web/Session.php @@ -68,8 +68,6 @@ class Session { } } - - function new_cookie($xtime) { $newxtime = (($xtime> 0) ? (time() + $xtime) : 0); @@ -94,5 +92,62 @@ class Session { } + function extend_cookie() { + + // if there's a long-term cookie, extend it + + if(intval($_SESSION['remember_me'])) + setcookie(session_name(),session_id(),(time() + (60 * 60 * 24 * 365))); + + } + + + function return_check() { + + // check a returning visitor against IP changes. + // If the change results in being blocked from re-entry with the current cookie + // nuke the session and logout. + // Returning at all indicates the session is still valid. + + // first check if we're enforcing that sessions can't change IP address + // @todo what to do with IPv6 addresses + + if($_SESSION['addr'] && $_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) { + logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']); + + $partial1 = substr($_SESSION['addr'], 0, strrpos($_SESSION['addr'], '.')); + $partial2 = substr($_SERVER['REMOTE_ADDR'], 0, strrpos($_SERVER['REMOTE_ADDR'], '.')); + + $paranoia = intval(get_pconfig($_SESSION['uid'], 'system', 'paranoia')); + + if(! $paranoia) + $paranoia = intval(get_config('system', 'paranoia')); + + switch($paranoia) { + case 0: + // no IP checking + break; + case 2: + // check 2 octets + $partial1 = substr($partial1, 0, strrpos($partial1, '.')); + $partial2 = substr($partial2, 0, strrpos($partial2, '.')); + if($partial1 == $partial2) + break; + case 1: + // check 3 octets + if($partial1 == $partial2) + break; + case 3: + default: + // check any difference at all + logger('Session address changed. Paranoid setting in effect, blocking session. ' + . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']); + self::nuke(); + goaway(z_root()); + break; + } + } + return true; + } }
\ No newline at end of file |