aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/auth.php15
1 files changed, 8 insertions, 7 deletions
diff --git a/include/auth.php b/include/auth.php
index c21705c99..e8f13d0fb 100644
--- a/include/auth.php
+++ b/include/auth.php
@@ -117,13 +117,14 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
// first check if we're enforcing that sessions can't change IP address
- $check = get_config('system','paranoia');
- // extra paranoia - if the IP changed, log them out
- if($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) {
- logger('Session address changed. Paranoid setting in effect, blocking session. '
- . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
- nuke_session();
- goaway(z_root());
+ if($_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) {
+ logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
+ if(get_config('system','paranoia')) {
+ logger('Session address changed. Paranoid setting in effect, blocking session. '
+ . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
+ nuke_session();
+ goaway(z_root());
+ }
}
$r = q("select * from account where account_id = %d limit 1",