From d1a2aecfa05927b79350500b7c0f9d9b978afbeb Mon Sep 17 00:00:00 2001 From: redmatrix Date: Sun, 10 Apr 2016 19:20:41 -0700 Subject: move more session related stuff such as paranoia handling (IP address changes) into the session object and extend remember_me cookies once a day so that they will never expire (theoretically). The DB session driver will extend its expiration on every session write (in the case of persistent sessions). --- include/auth.php | 38 ++------------------------------------ 1 file changed, 2 insertions(+), 36 deletions(-) (limited to 'include/auth.php') diff --git a/include/auth.php b/include/auth.php index f31bc074d..9643da8eb 100644 --- a/include/auth.php +++ b/include/auth.php @@ -141,42 +141,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) && if(x($_SESSION, 'uid') || x($_SESSION, 'account_id')) { - // first check if we're enforcing that sessions can't change IP address - // @todo what to do with IPv6 addresses - if($_SESSION['addr'] && $_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) { - logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']); - - $partial1 = substr($_SESSION['addr'], 0, strrpos($_SESSION['addr'], '.')); - $partial2 = substr($_SERVER['REMOTE_ADDR'], 0, strrpos($_SERVER['REMOTE_ADDR'], '.')); - - $paranoia = intval(get_pconfig($_SESSION['uid'], 'system', 'paranoia')); - if(! $paranoia) - $paranoia = intval(get_config('system', 'paranoia')); - - switch($paranoia) { - case 0: - // no IP checking - break; - case 2: - // check 2 octets - $partial1 = substr($partial1, 0, strrpos($partial1, '.')); - $partial2 = substr($partial2, 0, strrpos($partial2, '.')); - if($partial1 == $partial2) - break; - case 1: - // check 3 octets - if($partial1 == $partial2) - break; - case 3: - default: - // check any difference at all - logger('Session address changed. Paranoid setting in effect, blocking session. ' - . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']); - \Zotlabs\Web\Session::nuke(); - goaway(z_root()); - break; - } - } + Zotlabs\Web\Session::return_check(); $r = q("select * from account where account_id = %d limit 1", intval($_SESSION['account_id']) @@ -190,6 +155,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) && } if(strcmp(datetime_convert('UTC','UTC','now - 12 hours'), $_SESSION['last_login_date']) > 0 ) { $_SESSION['last_login_date'] = datetime_convert(); + Zotlabs\Web\Session::extend_cookie(); $login_refresh = true; } authenticate_success($r[0], false, false, false, $login_refresh); -- cgit v1.2.3