diff options
author | friendica <info@friendica.com> | 2014-05-11 22:01:53 -0700 |
---|---|---|
committer | friendica <info@friendica.com> | 2014-05-11 22:01:53 -0700 |
commit | ef5ffad69073ca047beeed23c508def4e1843922 (patch) | |
tree | e78a53551e71283e40b51d573b7c793e9a60e41b /include/auth.php | |
parent | 3eae3fd496abcd843d18a36e042f2185527d8803 (diff) | |
download | volse-hubzilla-ef5ffad69073ca047beeed23c508def4e1843922.tar.gz volse-hubzilla-ef5ffad69073ca047beeed23c508def4e1843922.tar.bz2 volse-hubzilla-ef5ffad69073ca047beeed23c508def4e1843922.zip |
log IP mis-matches even if paranoia isn't set.
Diffstat (limited to 'include/auth.php')
-rw-r--r-- | include/auth.php | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/include/auth.php b/include/auth.php index c21705c99..e8f13d0fb 100644 --- a/include/auth.php +++ b/include/auth.php @@ -117,13 +117,14 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p // first check if we're enforcing that sessions can't change IP address - $check = get_config('system','paranoia'); - // extra paranoia - if the IP changed, log them out - if($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) { - logger('Session address changed. Paranoid setting in effect, blocking session. ' - . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']); - nuke_session(); - goaway(z_root()); + if($_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) { + logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']); + if(get_config('system','paranoia')) { + logger('Session address changed. Paranoid setting in effect, blocking session. ' + . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']); + nuke_session(); + goaway(z_root()); + } } $r = q("select * from account where account_id = %d limit 1", |