From dd215607f37121be296c6da645d6398562c6ff44 Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Mon, 21 Jul 2014 21:28:45 -0700
Subject: paranoia tweaks

---
 include/auth.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'include')

diff --git a/include/auth.php b/include/auth.php
index a8a1a5f5c..cc07917b7 100644
--- a/include/auth.php
+++ b/include/auth.php
@@ -128,13 +128,17 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
 
 		// first check if we're enforcing that sessions can't change IP address
 
-		if($_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) {
+		if($_SESSION['addr'] && $_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) {
 			logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
 
 			$partial1 = substr($_SESSION['addr'],0,strrpos($_SESSION['addr'],'.')); 
 			$partial2 = substr($_SERVER['REMOTE_ADDR'],0,strrpos($_SERVER['REMOTE_ADDR'],'.')); 
 
-			$paranoia = intval(get_config('system','paranoia'));
+
+			$paranoia = intval(get_pconfig($_SESSION['uid'],'system','paranoia'));
+			if(! $paranoia)
+				$paranoia = intval(get_config('system','paranoia'));
+
 			switch($paranoia) {
 				case 0:
 					// no IP checking
-- 
cgit v1.2.3