Friendica/friendica-github
1
0
Fork 0
mirror of https://github.com/friendica/friendica synced 2024-11-10 05:42:54 +00:00
Code Issues Projects Releases Packages Wiki Activity

paranoid option to reduce session hijacking by enforcing an IP match on session validation. This is not claimed to be a perfect solution to the problem by any stretch, it merely raises the bar on the script kiddies to the detriment of those whose dynamic IPs aren't long lived. For these reasons it is opt-in.

Browse source
This commit is contained in:
Friendika 2010-11-29 23:16:14 -08:00
parent 3672335dec
commit 67e827e128
1 changed files with 26 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

43
include/auth.php
View file

@ -1,20 +1,29 @@
<?php <?php
function nuke_session() {
unset($_SESSION['authenticated']);
unset($_SESSION['uid']);
unset($_SESSION['visitor_id']);
unset($_SESSION['administrator']);
unset($_SESSION['cid']);
unset($_SESSION['theme']);
unset($_SESSION['page_flags']);
}
// login/logout // login/logout
if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-params'))) || ($_POST['auth-params'] !== 'login'))) { if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-params'))) || ($_POST['auth-params'] !== 'login'))) {
if(((x($_POST,'auth-params')) && ($_POST['auth-params'] === 'logout')) || ($a->module === 'logout')) { if(((x($_POST,'auth-params')) && ($_POST['auth-params'] === 'logout')) || ($a->module === 'logout')) {
// process logout request // process logout request
unset($_SESSION['authenticated']); nuke_session();
unset($_SESSION['uid']);
unset($_SESSION['visitor_id']);
unset($_SESSION['administrator']);
unset($_SESSION['cid']);
unset($_SESSION['theme']);
unset($_SESSION['page_flags']);
notice( t('Logged out.') . EOL); notice( t('Logged out.') . EOL);
goaway($a->get_baseurl()); goaway($a->get_baseurl());
} }
@ -23,13 +32,19 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
// already logged in user returning // already logged in user returning
$check = get_config('system','paranoia');
// extra paranoia - if the IP changed, log them out
if($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) {
nuke_session();
goaway($a->get_baseurl());
}
$r = q("SELECT * FROM `user` WHERE `uid` = %d LIMIT 1", $r = q("SELECT * FROM `user` WHERE `uid` = %d LIMIT 1",
intval($_SESSION['uid']) intval($_SESSION['uid'])
); );
if(! count($r)) { if(! count($r)) {
unset($_SESSION['authenticated']); nuke_session();
unset($_SESSION['uid']);
goaway($a->get_baseurl()); goaway($a->get_baseurl());
} }
@ -57,14 +72,7 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
else { else {
if(isset($_SESSION)) { if(isset($_SESSION)) {
unset($_SESSION['authenticated']); nuke_session();
unset($_SESSION['uid']);
unset($_SESSION['visitor_id']);
unset($_SESSION['administrator']);
unset($_SESSION['cid']);
unset($_SESSION['theme']);
unset($_SESSION['my_url']);
unset($_SESSION['page_flags']);
} }
if((x($_POST,'password')) && strlen($_POST['password'])) if((x($_POST,'password')) && strlen($_POST['password']))
@ -140,6 +148,7 @@ else {
$_SESSION['authenticated'] = 1; $_SESSION['authenticated'] = 1;
$_SESSION['page_flags'] = $r[0]['page-flags']; $_SESSION['page_flags'] = $r[0]['page-flags'];
$_SESSION['my_url'] = $a->get_baseurl() . '/profile/' . $r[0]['nickname']; $_SESSION['my_url'] = $a->get_baseurl() . '/profile/' . $r[0]['nickname'];
$_SESSION['addr'] = $_SERVER['REMOTE_ADDR'];
notice( t("Welcome back ") . $r[0]['username'] . EOL); notice( t("Welcome back ") . $r[0]['username'] . EOL);
$a->user = $r[0]; $a->user = $r[0];