mirror of
https://github.com/friendica/friendica
synced 2024-12-23 11:20:15 +00:00
paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in.
This commit is contained in:
parent
3672335dec
commit
67e827e128
1 changed files with 26 additions and 17 deletions
|
@ -1,13 +1,7 @@
|
||||||
<?php
|
<?php
|
||||||
|
|
||||||
// login/logout
|
|
||||||
|
|
||||||
if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-params'))) || ($_POST['auth-params'] !== 'login'))) {
|
|
||||||
|
|
||||||
if(((x($_POST,'auth-params')) && ($_POST['auth-params'] === 'logout')) || ($a->module === 'logout')) {
|
|
||||||
|
|
||||||
// process logout request
|
|
||||||
|
|
||||||
|
function nuke_session() {
|
||||||
unset($_SESSION['authenticated']);
|
unset($_SESSION['authenticated']);
|
||||||
unset($_SESSION['uid']);
|
unset($_SESSION['uid']);
|
||||||
unset($_SESSION['visitor_id']);
|
unset($_SESSION['visitor_id']);
|
||||||
|
@ -15,6 +9,21 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
|
||||||
unset($_SESSION['cid']);
|
unset($_SESSION['cid']);
|
||||||
unset($_SESSION['theme']);
|
unset($_SESSION['theme']);
|
||||||
unset($_SESSION['page_flags']);
|
unset($_SESSION['page_flags']);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
// login/logout
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-params'))) || ($_POST['auth-params'] !== 'login'))) {
|
||||||
|
|
||||||
|
if(((x($_POST,'auth-params')) && ($_POST['auth-params'] === 'logout')) || ($a->module === 'logout')) {
|
||||||
|
|
||||||
|
// process logout request
|
||||||
|
|
||||||
|
nuke_session();
|
||||||
notice( t('Logged out.') . EOL);
|
notice( t('Logged out.') . EOL);
|
||||||
goaway($a->get_baseurl());
|
goaway($a->get_baseurl());
|
||||||
}
|
}
|
||||||
|
@ -23,13 +32,19 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
|
||||||
|
|
||||||
// already logged in user returning
|
// already logged in user returning
|
||||||
|
|
||||||
|
$check = get_config('system','paranoia');
|
||||||
|
// extra paranoia - if the IP changed, log them out
|
||||||
|
if($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) {
|
||||||
|
nuke_session();
|
||||||
|
goaway($a->get_baseurl());
|
||||||
|
}
|
||||||
|
|
||||||
$r = q("SELECT * FROM `user` WHERE `uid` = %d LIMIT 1",
|
$r = q("SELECT * FROM `user` WHERE `uid` = %d LIMIT 1",
|
||||||
intval($_SESSION['uid'])
|
intval($_SESSION['uid'])
|
||||||
);
|
);
|
||||||
|
|
||||||
if(! count($r)) {
|
if(! count($r)) {
|
||||||
unset($_SESSION['authenticated']);
|
nuke_session();
|
||||||
unset($_SESSION['uid']);
|
|
||||||
goaway($a->get_baseurl());
|
goaway($a->get_baseurl());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -57,14 +72,7 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
|
||||||
else {
|
else {
|
||||||
|
|
||||||
if(isset($_SESSION)) {
|
if(isset($_SESSION)) {
|
||||||
unset($_SESSION['authenticated']);
|
nuke_session();
|
||||||
unset($_SESSION['uid']);
|
|
||||||
unset($_SESSION['visitor_id']);
|
|
||||||
unset($_SESSION['administrator']);
|
|
||||||
unset($_SESSION['cid']);
|
|
||||||
unset($_SESSION['theme']);
|
|
||||||
unset($_SESSION['my_url']);
|
|
||||||
unset($_SESSION['page_flags']);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if((x($_POST,'password')) && strlen($_POST['password']))
|
if((x($_POST,'password')) && strlen($_POST['password']))
|
||||||
|
@ -140,6 +148,7 @@ else {
|
||||||
$_SESSION['authenticated'] = 1;
|
$_SESSION['authenticated'] = 1;
|
||||||
$_SESSION['page_flags'] = $r[0]['page-flags'];
|
$_SESSION['page_flags'] = $r[0]['page-flags'];
|
||||||
$_SESSION['my_url'] = $a->get_baseurl() . '/profile/' . $r[0]['nickname'];
|
$_SESSION['my_url'] = $a->get_baseurl() . '/profile/' . $r[0]['nickname'];
|
||||||
|
$_SESSION['addr'] = $_SERVER['REMOTE_ADDR'];
|
||||||
|
|
||||||
notice( t("Welcome back ") . $r[0]['username'] . EOL);
|
notice( t("Welcome back ") . $r[0]['username'] . EOL);
|
||||||
$a->user = $r[0];
|
$a->user = $r[0];
|
||||||
|
|
Loading…
Reference in a new issue