From 67e827e128a4c446b89f581793f64fd0f1299389 Mon Sep 17 00:00:00 2001
From: Friendika <info@friendika.com>
Date: Mon, 29 Nov 2010 23:16:14 -0800
Subject: paranoid option to reduce session hijacking by enforcing an IP match
 on session validation. This is not claimed to be a perfect solution to the
 problem by any stretch, it merely raises the bar on the script kiddies to the
 detriment of those whose dynamic IPs aren't long lived. For these reasons it
 is opt-in.

---
 include/auth.php | 43 ++++++++++++++++++++++++++-----------------
 1 file changed, 26 insertions(+), 17 deletions(-)

(limited to 'include/auth.php')

diff --git a/include/auth.php b/include/auth.php
index d82bc84d1..dd4afac23 100644
--- a/include/auth.php
+++ b/include/auth.php
@@ -1,20 +1,29 @@
 <?php
 
+
+function nuke_session() {
+	unset($_SESSION['authenticated']);
+	unset($_SESSION['uid']);
+	unset($_SESSION['visitor_id']);
+	unset($_SESSION['administrator']);
+	unset($_SESSION['cid']);
+	unset($_SESSION['theme']);
+	unset($_SESSION['page_flags']);
+}
+
+
 // login/logout 
 
+
+
+
 if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-params'))) || ($_POST['auth-params'] !== 'login'))) {
 
 	if(((x($_POST,'auth-params')) && ($_POST['auth-params'] === 'logout')) || ($a->module === 'logout')) {
 	
 		// process logout request
 
-		unset($_SESSION['authenticated']);
-		unset($_SESSION['uid']);
-		unset($_SESSION['visitor_id']);
-		unset($_SESSION['administrator']);
-		unset($_SESSION['cid']);
-		unset($_SESSION['theme']);
-		unset($_SESSION['page_flags']);
+		nuke_session();
 		notice( t('Logged out.') . EOL);
 		goaway($a->get_baseurl());
 	}
@@ -23,13 +32,19 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
 
 		// already logged in user returning
 
+		$check = get_config('system','paranoia');
+		// extra paranoia - if the IP changed, log them out
+		if($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) {
+			nuke_session();
+			goaway($a->get_baseurl());
+		}
+
 		$r = q("SELECT * FROM `user` WHERE `uid` = %d LIMIT 1",
 			intval($_SESSION['uid'])
 		);
 
 		if(! count($r)) {
-			unset($_SESSION['authenticated']);
-			unset($_SESSION['uid']);
+			nuke_session();
 			goaway($a->get_baseurl());
 		}
 
@@ -57,14 +72,7 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
 else {
 
 	if(isset($_SESSION)) {
-		unset($_SESSION['authenticated']);
-		unset($_SESSION['uid']);
-		unset($_SESSION['visitor_id']);
-		unset($_SESSION['administrator']);
-		unset($_SESSION['cid']);
-		unset($_SESSION['theme']);
-		unset($_SESSION['my_url']);
-		unset($_SESSION['page_flags']);
+		nuke_session();
 	}
 
 	if((x($_POST,'password')) && strlen($_POST['password']))
@@ -140,6 +148,7 @@ else {
 		$_SESSION['authenticated'] = 1;
 		$_SESSION['page_flags'] = $r[0]['page-flags'];
 		$_SESSION['my_url'] = $a->get_baseurl() . '/profile/' . $r[0]['nickname'];
+		$_SESSION['addr'] = $_SERVER['REMOTE_ADDR'];
 
 		notice( t("Welcome back ") . $r[0]['username'] . EOL);
 		$a->user = $r[0];
-- 
cgit v1.2.3