From dd215607f37121be296c6da645d6398562c6ff44 Mon Sep 17 00:00:00 2001 From: friendica Date: Mon, 21 Jul 2014 21:28:45 -0700 Subject: paranoia tweaks --- include/auth.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'include/auth.php') diff --git a/include/auth.php b/include/auth.php index a8a1a5f5c..cc07917b7 100644 --- a/include/auth.php +++ b/include/auth.php @@ -128,13 +128,17 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p // first check if we're enforcing that sessions can't change IP address - if($_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) { + if($_SESSION['addr'] && $_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) { logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']); $partial1 = substr($_SESSION['addr'],0,strrpos($_SESSION['addr'],'.')); $partial2 = substr($_SERVER['REMOTE_ADDR'],0,strrpos($_SERVER['REMOTE_ADDR'],'.')); - $paranoia = intval(get_config('system','paranoia')); + + $paranoia = intval(get_pconfig($_SESSION['uid'],'system','paranoia')); + if(! $paranoia) + $paranoia = intval(get_config('system','paranoia')); + switch($paranoia) { case 0: // no IP checking -- cgit v1.2.3