aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Zotlabs/Web/Session.php59
-rw-r--r--include/auth.php38
2 files changed, 59 insertions, 38 deletions
diff --git a/Zotlabs/Web/Session.php b/Zotlabs/Web/Session.php
index d25ce5f6a..e5fe47386 100644
--- a/Zotlabs/Web/Session.php
+++ b/Zotlabs/Web/Session.php
@@ -68,8 +68,6 @@ class Session {
}
}
-
-
function new_cookie($xtime) {
$newxtime = (($xtime> 0) ? (time() + $xtime) : 0);
@@ -94,5 +92,62 @@ class Session {
}
+ function extend_cookie() {
+
+ // if there's a long-term cookie, extend it
+
+ if(intval($_SESSION['remember_me']))
+ setcookie(session_name(),session_id(),(time() + (60 * 60 * 24 * 365)));
+
+ }
+
+
+ function return_check() {
+
+ // check a returning visitor against IP changes.
+ // If the change results in being blocked from re-entry with the current cookie
+ // nuke the session and logout.
+ // Returning at all indicates the session is still valid.
+
+ // first check if we're enforcing that sessions can't change IP address
+ // @todo what to do with IPv6 addresses
+
+ if($_SESSION['addr'] && $_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) {
+ logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
+
+ $partial1 = substr($_SESSION['addr'], 0, strrpos($_SESSION['addr'], '.'));
+ $partial2 = substr($_SERVER['REMOTE_ADDR'], 0, strrpos($_SERVER['REMOTE_ADDR'], '.'));
+
+ $paranoia = intval(get_pconfig($_SESSION['uid'], 'system', 'paranoia'));
+
+ if(! $paranoia)
+ $paranoia = intval(get_config('system', 'paranoia'));
+
+ switch($paranoia) {
+ case 0:
+ // no IP checking
+ break;
+ case 2:
+ // check 2 octets
+ $partial1 = substr($partial1, 0, strrpos($partial1, '.'));
+ $partial2 = substr($partial2, 0, strrpos($partial2, '.'));
+ if($partial1 == $partial2)
+ break;
+ case 1:
+ // check 3 octets
+ if($partial1 == $partial2)
+ break;
+ case 3:
+ default:
+ // check any difference at all
+ logger('Session address changed. Paranoid setting in effect, blocking session. '
+ . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
+ self::nuke();
+ goaway(z_root());
+ break;
+ }
+ }
+ return true;
+ }
} \ No newline at end of file
diff --git a/include/auth.php b/include/auth.php
index f31bc074d..9643da8eb 100644
--- a/include/auth.php
+++ b/include/auth.php
@@ -141,42 +141,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) &&
if(x($_SESSION, 'uid') || x($_SESSION, 'account_id')) {
- // first check if we're enforcing that sessions can't change IP address
- // @todo what to do with IPv6 addresses
- if($_SESSION['addr'] && $_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) {
- logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
-
- $partial1 = substr($_SESSION['addr'], 0, strrpos($_SESSION['addr'], '.'));
- $partial2 = substr($_SERVER['REMOTE_ADDR'], 0, strrpos($_SERVER['REMOTE_ADDR'], '.'));
-
- $paranoia = intval(get_pconfig($_SESSION['uid'], 'system', 'paranoia'));
- if(! $paranoia)
- $paranoia = intval(get_config('system', 'paranoia'));
-
- switch($paranoia) {
- case 0:
- // no IP checking
- break;
- case 2:
- // check 2 octets
- $partial1 = substr($partial1, 0, strrpos($partial1, '.'));
- $partial2 = substr($partial2, 0, strrpos($partial2, '.'));
- if($partial1 == $partial2)
- break;
- case 1:
- // check 3 octets
- if($partial1 == $partial2)
- break;
- case 3:
- default:
- // check any difference at all
- logger('Session address changed. Paranoid setting in effect, blocking session. '
- . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
- \Zotlabs\Web\Session::nuke();
- goaway(z_root());
- break;
- }
- }
+ Zotlabs\Web\Session::return_check();
$r = q("select * from account where account_id = %d limit 1",
intval($_SESSION['account_id'])
@@ -190,6 +155,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) &&
}
if(strcmp(datetime_convert('UTC','UTC','now - 12 hours'), $_SESSION['last_login_date']) > 0 ) {
$_SESSION['last_login_date'] = datetime_convert();
+ Zotlabs\Web\Session::extend_cookie();
$login_refresh = true;
}
authenticate_success($r[0], false, false, false, $login_refresh);