1 files changed, 32 insertions, 1 deletions
diff --git a/application/HttpUtils.php b/application/HttpUtils.php
index 83a4c5e2..e9282506 100644
--- a/application/HttpUtils.php
+++ b/application/HttpUtils.php
@@ -1,7 +1,7 @@
 <?php
 /**
 * GET an HTTP URL to retrieve its content
- * Uses the cURL library or a fallback method 
+ * Uses the cURL library or a fallback method
 *
 * @param string          $url               URL to get (http://...)
 * @param int             $timeout           network timeout (in seconds)
@@ -415,6 +415,37 @@ function getIpAddressFromProxy($server, $trustedIps)
    return array_pop($ips);
 }
+/**
+ * Return an identifier based on the advertised client IP address(es)
+ *
+ * This aims at preventing session hijacking from users behind the same proxy
+ * by relying on HTTP headers.
+ *
+ * See:
+ * - https://secure.php.net/manual/en/reserved.variables.server.php
+ * - https://stackoverflow.com/questions/3003145/how-to-get-the-client-ip-address-in-php
+ * - https://stackoverflow.com/questions/12233406/preventing-session-hijacking
+ * - https://stackoverflow.com/questions/21354859/trusting-x-forwarded-for-to-identify-a-visitor
+ *
+ * @param array $server The $_SERVER array
+ *
+ * @return string An identifier based on client IP address information
+ */
+function client_ip_id($server)
+{
+    $ip = $server['REMOTE_ADDR'];
+    if (isset($server['HTTP_X_FORWARDED_FOR'])) {
+        $ip = $ip . '_' . $server['HTTP_X_FORWARDED_FOR'];
+    }
+    if (isset($server['HTTP_CLIENT_IP'])) {
+        $ip = $ip . '_' . $server['HTTP_CLIENT_IP'];
+    }
+    return $ip;
+}
 /**
 * Returns true if Shaarli's currently browsed in HTTPS.
 * Supports reverse proxies (if the headers are correctly set).

diff --git a/application/HttpUtils.php b/application/HttpUtils.php index 83a4c5e2..e9282506 100644 --- a/application/HttpUtils.php +++ b/application/HttpUtils.php
@@ -1,7 +1,7 @@
1	<?php	1	<?php
2	/**	2	/**
3	* GET an HTTP URL to retrieve its content	3	* GET an HTTP URL to retrieve its content
4	* Uses the cURL library or a fallback method	4	* Uses the cURL library or a fallback method
5	*	5	*
6	* @param string $url URL to get (http://...)	6	* @param string $url URL to get (http://...)
7	* @param int $timeout network timeout (in seconds)	7	* @param int $timeout network timeout (in seconds)
@@ -415,6 +415,37 @@ function getIpAddressFromProxy($server, $trustedIps)
415	return array_pop($ips);	415	return array_pop($ips);
416	}	416	}
417		417
		418
		419	/**
		420	* Return an identifier based on the advertised client IP address(es)
		421	*
		422	* This aims at preventing session hijacking from users behind the same proxy
		423	* by relying on HTTP headers.
		424	*
		425	* See:
		426	* - https://secure.php.net/manual/en/reserved.variables.server.php
		427	* - https://stackoverflow.com/questions/3003145/how-to-get-the-client-ip-address-in-php
		428	* - https://stackoverflow.com/questions/12233406/preventing-session-hijacking
		429	* - https://stackoverflow.com/questions/21354859/trusting-x-forwarded-for-to-identify-a-visitor
		430	*
		431	* @param array $server The $_SERVER array
		432	*
		433	* @return string An identifier based on client IP address information
		434	*/
		435	function client_ip_id($server)
		436	{
		437	$ip = $server['REMOTE_ADDR'];
		438
		439	if (isset($server['HTTP_X_FORWARDED_FOR'])) {
		440	$ip = $ip . '_' . $server['HTTP_X_FORWARDED_FOR'];
		441	}
		442	if (isset($server['HTTP_CLIENT_IP'])) {
		443	$ip = $ip . '_' . $server['HTTP_CLIENT_IP'];
		444	}
		445	return $ip;
		446	}
		447
		448
418	/**	449	/**
419	* Returns true if Shaarli's currently browsed in HTTPS.	450	* Returns true if Shaarli's currently browsed in HTTPS.
420	* Supports reverse proxies (if the headers are correctly set).	451	* Supports reverse proxies (if the headers are correctly set).