add more control to auth paranoia setting

1 files changed, 27 insertions, 4 deletions

diff --git a/include/auth.php b/include/auth.php
index 8e02b7b4f..a8a1a5f5c 100644
--- a/include/auth.php
+++ b/include/auth.php
@@ -130,11 +130,34 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
 
 		if($_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) {
 			logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
-			if(get_config('system','paranoia')) {
-				logger('Session address changed. Paranoid setting in effect, blocking session. ' 
+
+			$partial1 = substr($_SESSION['addr'],0,strrpos($_SESSION['addr'],'.')); 
+			$partial2 = substr($_SERVER['REMOTE_ADDR'],0,strrpos($_SERVER['REMOTE_ADDR'],'.')); 
+
+			$paranoia = intval(get_config('system','paranoia'));
+			switch($paranoia) {
+				case 0:
+					// no IP checking
+					break;
+				case 2:
+					// check 2 octets
+					$partial1 = substr($partial1,0,strrpos($partial1,'.')); 
+					$partial2 = substr($partial2,0,strrpos($partial2,'.')); 
+					if($partial1 == $partial2)
+						break;
+				case 1:
+					// check 3 octets
+					if($partial1 == $partial2)
+						break;
+				case 3:
+				default:
+					// check any difference at all
+					logger('Session address changed. Paranoid setting in effect, blocking session. ' 
 					. $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
-				nuke_session();
-				goaway(z_root());
+					nuke_session();
+					goaway(z_root());
+					break;
+
 			}
 		}