From ef5ffad69073ca047beeed23c508def4e1843922 Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Sun, 11 May 2014 22:01:53 -0700
Subject: log IP mis-matches even if paranoia isn't set.

---
 include/auth.php | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

(limited to 'include/auth.php')

diff --git a/include/auth.php b/include/auth.php
index c21705c99..e8f13d0fb 100644
--- a/include/auth.php
+++ b/include/auth.php
@@ -117,13 +117,14 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
 
 		// first check if we're enforcing that sessions can't change IP address
 
-		$check = get_config('system','paranoia');
-		// extra paranoia - if the IP changed, log them out
-		if($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) {
-			logger('Session address changed. Paranoid setting in effect, blocking session. ' 
-				. $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
-			nuke_session();
-			goaway(z_root());
+		if($_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) {
+			logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
+			if(get_config('system','paranoia')) {
+				logger('Session address changed. Paranoid setting in effect, blocking session. ' 
+					. $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
+				nuke_session();
+				goaway(z_root());
+			}
 		}
 
 		$r = q("select * from account where account_id = %d limit 1",
-- 
cgit v1.2.3