aboutsummaryrefslogtreecommitdiffhomepage
path: root/index.php
diff options
context:
space:
mode:
authorVirtualTam <virtualtam@flibidi.net>2018-02-16 21:51:44 +0100
committerVirtualTam <virtualtam@flibidi.net>2018-05-29 22:53:54 +0200
commit88110550b89617dcda16441212599b8a40faa20c (patch)
treeac1f137c96ca4df448a802a339fd7a351ce16bcd /index.php
parent8f816d8ddfe9219e15580cef6e5c9037d1d4fd28 (diff)
downloadShaarli-88110550b89617dcda16441212599b8a40faa20c.tar.gz
Shaarli-88110550b89617dcda16441212599b8a40faa20c.tar.zst
Shaarli-88110550b89617dcda16441212599b8a40faa20c.zip
Refactor client session hijacking protection
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'index.php')
-rw-r--r--index.php14
1 files changed, 2 insertions, 12 deletions
diff --git a/index.php b/index.php
index 2fe3f821..08a69327 100644
--- a/index.php
+++ b/index.php
@@ -207,7 +207,7 @@ function setup_login_state($conf)
207 } 207 }
208 // If session does not exist on server side, or IP address has changed, or session has expired, logout. 208 // If session does not exist on server side, or IP address has changed, or session has expired, logout.
209 if (empty($_SESSION['uid']) 209 if (empty($_SESSION['uid'])
210 || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs()) 210 || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != client_ip_id($_SERVER))
211 || time() >= $_SESSION['expires_on']) 211 || time() >= $_SESSION['expires_on'])
212 { 212 {
213 logout(); 213 logout();
@@ -231,16 +231,6 @@ $userIsLoggedIn = setup_login_state($conf);
231// ------------------------------------------------------------------------------------------ 231// ------------------------------------------------------------------------------------------
232// Session management 232// Session management
233 233
234// Returns the IP address of the client (Used to prevent session cookie hijacking.)
235function allIPs()
236{
237 $ip = $_SERVER['REMOTE_ADDR'];
238 // Then we use more HTTP headers to prevent session hijacking from users behind the same proxy.
239 if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip=$ip.'_'.$_SERVER['HTTP_X_FORWARDED_FOR']; }
240 if (isset($_SERVER['HTTP_CLIENT_IP'])) { $ip=$ip.'_'.$_SERVER['HTTP_CLIENT_IP']; }
241 return $ip;
242}
243
244/** 234/**
245 * Load user session. 235 * Load user session.
246 * 236 *
@@ -249,7 +239,7 @@ function allIPs()
249function fillSessionInfo($conf) 239function fillSessionInfo($conf)
250{ 240{
251 $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) 241 $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid)
252 $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. 242 $_SESSION['ip'] = client_ip_id($_SERVER);
253 $_SESSION['username']= $conf->get('credentials.login'); 243 $_SESSION['username']= $conf->get('credentials.login');
254 $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. 244 $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration.
255} 245}