2 files changed, 417 insertions, 0 deletions
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
new file mode 100644
index 00000000..e7b9b21e
--- /dev/null
+++ b/application/security/LoginManager.php
@@ -0,0 +1,238 @@
+<?php
+namespace Shaarli\Security;
+use Shaarli\Config\ConfigManager;
+/**
+ * User login management
+ */
+class LoginManager
+{
+    /** @var array A reference to the $_GLOBALS array */
+    protected $globals = [];
+    /** @var ConfigManager Configuration Manager instance **/
+    protected $configManager = null;
+    /** @var SessionManager Session Manager instance **/
+    protected $sessionManager = null;
+    /** @var string Path to the file containing IP bans */
+    protected $banFile = '';
+    /** @var bool Whether the user is logged in **/
+    protected $isLoggedIn = false;
+    /** @var bool Whether the Shaarli instance is open to public edition **/
+    protected $openShaarli = false;
+    /**
+     * Constructor
+     *
+     * @param array          $globals        The $GLOBALS array (reference)
+     * @param ConfigManager  $configManager  Configuration Manager instance
+     * @param SessionManager $sessionManager SessionManager instance
+     */
+    public function __construct(& $globals, $configManager, $sessionManager)
+    {
+        $this->globals = &$globals;
+        $this->configManager = $configManager;
+        $this->sessionManager = $sessionManager;
+        $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');
+        $this->readBanFile();
+        if ($this->configManager->get('security.open_shaarli')) {
+            $this->openShaarli = true;
+        }
+    }
+    /**
+     * Check user session state and validity (expiration)
+     *
+     * @param array  $cookie     The $_COOKIE array
+     * @param string $webPath    Path on the server in which the cookie will be available on
+     * @param string $clientIpId Client IP address identifier
+     * @param string $token      Session token
+     *
+     * @return bool true if the user session is valid, false otherwise
+     */
+    public function checkLoginState($cookie, $webPath, $clientIpId, $token)
+    {
+        if (! $this->configManager->exists('credentials.login')) {
+            // Shaarli is not configured yet
+            $this->isLoggedIn = false;
+            return;
+        }
+        if (isset($cookie[SessionManager::$LOGGED_IN_COOKIE])
+            && $cookie[SessionManager::$LOGGED_IN_COOKIE] === $token
+        ) {
+            $this->sessionManager->storeLoginInfo($clientIpId);
+            $this->isLoggedIn = true;
+        }
+        if ($this->sessionManager->hasSessionExpired()
+            || $this->sessionManager->hasClientIpChanged($clientIpId)
+        ) {
+            $this->sessionManager->logout($webPath);
+            $this->isLoggedIn = false;
+            return;
+        }
+        $this->sessionManager->extendSession();
+    }
+    /**
+     * Return whether the user is currently logged in
+     *
+     * @return true when the user is logged in, false otherwise
+     */
+    public function isLoggedIn()
+    {
+        if ($this->openShaarli) {
+            return true;
+        }
+        return $this->isLoggedIn;
+    }
+    /**
+     * Check user credentials are valid
+     *
+     * @param string $remoteIp   Remote client IP address
+     * @param string $clientIpId Client IP address identifier
+     * @param string $login      Username
+     * @param string $password   Password
+     *
+     * @return bool true if the provided credentials are valid, false otherwise
+     */
+    public function checkCredentials($remoteIp, $clientIpId, $login, $password)
+    {
+        $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
+        if ($login != $this->configManager->get('credentials.login')
+            || $hash != $this->configManager->get('credentials.hash')
+        ) {
+            logm(
+                $this->configManager->get('resource.log'),
+                $remoteIp,
+                'Login failed for user ' . $login
+            );
+            return false;
+        }
+        $this->sessionManager->storeLoginInfo($clientIpId);
+        logm(
+            $this->configManager->get('resource.log'),
+            $remoteIp,
+            'Login successful'
+        );
+        return true;
+    }
+    /**
+     * Read a file containing banned IPs
+     */
+    protected function readBanFile()
+    {
+        if (! file_exists($this->banFile)) {
+            return;
+        }
+        include $this->banFile;
+    }
+    /**
+     * Write the banned IPs to a file
+     */
+    protected function writeBanFile()
+    {
+        if (! array_key_exists('IPBANS', $this->globals)) {
+            return;
+        }
+        file_put_contents(
+            $this->banFile,
+            "<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
+        );
+    }
+    /**
+     * Handle a failed login and ban the IP after too many failed attempts
+     *
+     * @param array $server The $_SERVER array
+     */
+    public function handleFailedLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        $trusted = $this->configManager->get('security.trusted_proxies', []);
+        if (in_array($ip, $trusted)) {
+            $ip = getIpAddressFromProxy($server, $trusted);
+            if (! $ip) {
+                // the IP is behind a trusted forward proxy, but is not forwarded
+                // in the HTTP headers, so we do nothing
+                return;
+            }
+        }
+        // increment the fail count for this IP
+        if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
+            $this->globals['IPBANS']['FAILURES'][$ip]++;
+        } else {
+            $this->globals['IPBANS']['FAILURES'][$ip] = 1;
+        }
+        if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
+            $this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
+            logm(
+                $this->configManager->get('resource.log'),
+                $server['REMOTE_ADDR'],
+                'IP address banned from login'
+            );
+        }
+        $this->writeBanFile();
+    }
+    /**
+     * Handle a successful login
+     *
+     * @param array $server The $_SERVER array
+     */
+    public function handleSuccessfulLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        // FIXME unban when behind a trusted proxy?
+        unset($this->globals['IPBANS']['FAILURES'][$ip]);
+        unset($this->globals['IPBANS']['BANS'][$ip]);
+        $this->writeBanFile();
+    }
+    /**
+     * Check if the user can login from this IP
+     *
+     * @param array $server The $_SERVER array
+     *
+     * @return bool true if the user is allowed to login
+     */
+    public function canLogin($server)
+    {
+        $ip = $server['REMOTE_ADDR'];
+        if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
+            // the user is not banned
+            return true;
+        }
+        if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
+            // the user is still banned
+            return false;
+        }
+        // the ban has expired, the user can attempt to log in again
+        logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
+        unset($this->globals['IPBANS']['FAILURES'][$ip]);
+        unset($this->globals['IPBANS']['BANS'][$ip]);
+        $this->writeBanFile();
+        return true;
+    }
+}
diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php
new file mode 100644
index 00000000..6f004b24
--- /dev/null
+++ b/application/security/SessionManager.php
@@ -0,0 +1,179 @@
+<?php
+namespace Shaarli\Security;
+use Shaarli\Config\ConfigManager;
+/**
+ * Manages the server-side session
+ */
+class SessionManager
+{
+    /** @var int Session expiration timeout, in seconds */
+    public static $INACTIVITY_TIMEOUT = 3600;
+    /** @var string Name of the cookie set after logging in **/
+    public static $LOGGED_IN_COOKIE = 'shaarli_staySignedIn';
+    /** @var array Local reference to the global $_SESSION array */
+    protected $session = [];
+    /** @var ConfigManager Configuration Manager instance **/
+    protected $conf = null;
+    /**
+     * Constructor
+     *
+     * @param array         $session The $_SESSION array (reference)
+     * @param ConfigManager $conf    ConfigManager instance
+     */
+    public function __construct(& $session, $conf)
+    {
+        $this->session = &$session;
+        $this->conf = $conf;
+    }
+    /**
+     * Generates a session token
+     *
+     * @return string token
+     */
+    public function generateToken()
+    {
+        $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt'));
+        $this->session['tokens'][$token] = 1;
+        return $token;
+    }
+    /**
+     * Checks the validity of a session token, and destroys it afterwards
+     *
+     * @param string $token The token to check
+     *
+     * @return bool true if the token is valid, else false
+     */
+    public function checkToken($token)
+    {
+        if (! isset($this->session['tokens'][$token])) {
+            // the token is wrong, or has already been used
+            return false;
+        }
+        // destroy the token to prevent future use
+        unset($this->session['tokens'][$token]);
+        return true;
+    }
+    /**
+     * Validate session ID to prevent Full Path Disclosure.
+     *
+     * See #298.
+     * The session ID's format depends on the hash algorithm set in PHP settings
+     *
+     * @param string $sessionId Session ID
+     *
+     * @return true if valid, false otherwise.
+     *
+     * @see http://php.net/manual/en/function.hash-algos.php
+     * @see http://php.net/manual/en/session.configuration.php
+     */
+    public static function checkId($sessionId)
+    {
+        if (empty($sessionId)) {
+            return false;
+        }
+        if (!$sessionId) {
+            return false;
+        }
+        if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
+            return false;
+        }
+        return true;
+    }
+    /**
+     * Store user login information after a successful login
+     *
+     * @param string $clientIpId Client IP address identifier
+     */
+    public function storeLoginInfo($clientIpId)
+    {
+        // Generate unique random number (different than phpsessionid)
+        $this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand());
+        $this->session['ip'] = $clientIpId;
+        $this->session['username'] = $this->conf->get('credentials.login');
+        $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT;
+    }
+    /**
+     * Extend session validity
+     */
+    public function extendSession()
+    {
+        if (! empty($this->session['longlastingsession'])) {
+            // "Stay signed in" is enabled
+            $this->session['expires_on'] = time() + $this->session['longlastingsession'];
+            return;
+        }
+        $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT;
+    }
+    /**
+     * Logout a user by unsetting all login information
+     *
+     * See:
+     * - https://secure.php.net/manual/en/function.setcookie.php
+     *
+     * @param string $webPath path on the server in which the cookie will be available on
+     */
+    public function logout($webPath)
+    {
+        if (isset($this->session)) {
+            unset($this->session['uid']);
+            unset($this->session['ip']);
+            unset($this->session['username']);
+            unset($this->session['visibility']);
+            unset($this->session['untaggedonly']);
+        }
+        setcookie(self::$LOGGED_IN_COOKIE, 'false', 0, $webPath);
+    }
+    /**
+     * Check whether the session has expired
+     *
+     * @param string $clientIpId Client IP address identifier
+     *
+     * @return bool true if the session has expired, false otherwise
+     */
+    public function hasSessionExpired()
+    {
+        if (empty($this->session['uid'])) {
+            return true;
+        }
+        if (time() >= $this->session['expires_on']) {
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Check whether the client IP address has changed
+     *
+     * @param string $clientIpId Client IP address identifier
+     *
+     * @return bool true if the IP has changed, false if it has not, or
+     *              if session protection has been disabled
+     */
+    public function hasClientIpChanged($clientIpId)
+    {
+        if ($this->conf->get('security.session_protection_disabled') === true) {
+            return false;
+        }
+        if ($this->session['ip'] == $clientIpId) {
+            return false;
+        }
+        return true;
+    }
+}

diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php new file mode 100644 index 00000000..e7b9b21e --- /dev/null +++ b/application/security/LoginManager.php
@@ -0,0 +1,238 @@
	1	<?php
	2	namespace Shaarli\Security;
	3
	4	use Shaarli\Config\ConfigManager;
	5
	6	/**
	7	* User login management
	8	*/
	9	class LoginManager
	10	{
	11	/** @var array A reference to the $_GLOBALS array */
	12	protected $globals = [];
	13
	14	/ @var ConfigManager Configuration Manager instance /
	15	protected $configManager = null;
	16
	17	/ @var SessionManager Session Manager instance /
	18	protected $sessionManager = null;
	19
	20	/** @var string Path to the file containing IP bans */
	21	protected $banFile = '';
	22
	23	/ @var bool Whether the user is logged in /
	24	protected $isLoggedIn = false;
	25
	26	/ @var bool Whether the Shaarli instance is open to public edition /
	27	protected $openShaarli = false;
	28
	29	/**
	30	* Constructor
	31	*
	32	* @param array $globals The $GLOBALS array (reference)
	33	* @param ConfigManager $configManager Configuration Manager instance
	34	* @param SessionManager $sessionManager SessionManager instance
	35	*/
	36	public function __construct(& $globals, $configManager, $sessionManager)
	37	{
	38	$this->globals = &$globals;
	39	$this->configManager = $configManager;
	40	$this->sessionManager = $sessionManager;
	41	$this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');
	42	$this->readBanFile();
	43	if ($this->configManager->get('security.open_shaarli')) {
	44	$this->openShaarli = true;
	45	}
	46	}
	47
	48	/**
	49	* Check user session state and validity (expiration)
	50	*
	51	* @param array $cookie The $_COOKIE array
	52	* @param string $webPath Path on the server in which the cookie will be available on
	53	* @param string $clientIpId Client IP address identifier
	54	* @param string $token Session token
	55	*
	56	* @return bool true if the user session is valid, false otherwise
	57	*/
	58	public function checkLoginState($cookie, $webPath, $clientIpId, $token)
	59	{
	60	if (! $this->configManager->exists('credentials.login')) {
	61	// Shaarli is not configured yet
	62	$this->isLoggedIn = false;
	63	return;
	64	}
	65
	66	if (isset($cookie[SessionManager::$LOGGED_IN_COOKIE])
	67	&& $cookie[SessionManager::$LOGGED_IN_COOKIE] === $token
	68	) {
	69	$this->sessionManager->storeLoginInfo($clientIpId);
	70	$this->isLoggedIn = true;
	71	}
	72
	73	if ($this->sessionManager->hasSessionExpired()
	74	\|\| $this->sessionManager->hasClientIpChanged($clientIpId)
	75	) {
	76	$this->sessionManager->logout($webPath);
	77	$this->isLoggedIn = false;
	78	return;
	79	}
	80
	81	$this->sessionManager->extendSession();
	82	}
	83
	84	/**
	85	* Return whether the user is currently logged in
	86	*
	87	* @return true when the user is logged in, false otherwise
	88	*/
	89	public function isLoggedIn()
	90	{
	91	if ($this->openShaarli) {
	92	return true;
	93	}
	94	return $this->isLoggedIn;
	95	}
	96
	97	/**
	98	* Check user credentials are valid
	99	*
	100	* @param string $remoteIp Remote client IP address
	101	* @param string $clientIpId Client IP address identifier
	102	* @param string $login Username
	103	* @param string $password Password
	104	*
	105	* @return bool true if the provided credentials are valid, false otherwise
	106	*/
	107	public function checkCredentials($remoteIp, $clientIpId, $login, $password)
	108	{
	109	$hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
	110
	111	if ($login != $this->configManager->get('credentials.login')
	112	\|\| $hash != $this->configManager->get('credentials.hash')
	113	) {
	114	logm(
	115	$this->configManager->get('resource.log'),
	116	$remoteIp,
	117	'Login failed for user ' . $login
	118	);
	119	return false;
	120	}
	121
	122	$this->sessionManager->storeLoginInfo($clientIpId);
	123	logm(
	124	$this->configManager->get('resource.log'),
	125	$remoteIp,
	126	'Login successful'
	127	);
	128	return true;
	129	}
	130
	131	/**
	132	* Read a file containing banned IPs
	133	*/
	134	protected function readBanFile()
	135	{
	136	if (! file_exists($this->banFile)) {
	137	return;
	138	}
	139	include $this->banFile;
	140	}
	141
	142	/**
	143	* Write the banned IPs to a file
	144	*/
	145	protected function writeBanFile()
	146	{
	147	if (! array_key_exists('IPBANS', $this->globals)) {
	148	return;
	149	}
	150	file_put_contents(
	151	$this->banFile,
	152	"<?php\n\$GLOBALS['IPBANS']=" . var_export($this->globals['IPBANS'], true) . ";\n?>"
	153	);
	154	}
	155
	156	/**
	157	* Handle a failed login and ban the IP after too many failed attempts
	158	*
	159	* @param array $server The $_SERVER array
	160	*/
	161	public function handleFailedLogin($server)
	162	{
	163	$ip = $server['REMOTE_ADDR'];
	164	$trusted = $this->configManager->get('security.trusted_proxies', []);
	165
	166	if (in_array($ip, $trusted)) {
	167	$ip = getIpAddressFromProxy($server, $trusted);
	168	if (! $ip) {
	169	// the IP is behind a trusted forward proxy, but is not forwarded
	170	// in the HTTP headers, so we do nothing
	171	return;
	172	}
	173	}
	174
	175	// increment the fail count for this IP
	176	if (isset($this->globals['IPBANS']['FAILURES'][$ip])) {
	177	$this->globals['IPBANS']['FAILURES'][$ip]++;
	178	} else {
	179	$this->globals['IPBANS']['FAILURES'][$ip] = 1;
	180	}
	181
	182	if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) {
	183	$this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800);
	184	logm(
	185	$this->configManager->get('resource.log'),
	186	$server['REMOTE_ADDR'],
	187	'IP address banned from login'
	188	);
	189	}
	190	$this->writeBanFile();
	191	}
	192
	193	/**
	194	* Handle a successful login
	195	*
	196	* @param array $server The $_SERVER array
	197	*/
	198	public function handleSuccessfulLogin($server)
	199	{
	200	$ip = $server['REMOTE_ADDR'];
	201	// FIXME unban when behind a trusted proxy?
	202
	203	unset($this->globals['IPBANS']['FAILURES'][$ip]);
	204	unset($this->globals['IPBANS']['BANS'][$ip]);
	205
	206	$this->writeBanFile();
	207	}
	208
	209	/**
	210	* Check if the user can login from this IP
	211	*
	212	* @param array $server The $_SERVER array
	213	*
	214	* @return bool true if the user is allowed to login
	215	*/
	216	public function canLogin($server)
	217	{
	218	$ip = $server['REMOTE_ADDR'];
	219
	220	if (! isset($this->globals['IPBANS']['BANS'][$ip])) {
	221	// the user is not banned
	222	return true;
	223	}
	224
	225	if ($this->globals['IPBANS']['BANS'][$ip] > time()) {
	226	// the user is still banned
	227	return false;
	228	}
	229
	230	// the ban has expired, the user can attempt to log in again
	231	logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.');
	232	unset($this->globals['IPBANS']['FAILURES'][$ip]);
	233	unset($this->globals['IPBANS']['BANS'][$ip]);
	234
	235	$this->writeBanFile();
	236	return true;
	237	}
	238	}


diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php new file mode 100644 index 00000000..6f004b24 --- /dev/null +++ b/application/security/SessionManager.php
@@ -0,0 +1,179 @@
	1	<?php
	2	namespace Shaarli\Security;
	3
	4	use Shaarli\Config\ConfigManager;
	5
	6	/**
	7	* Manages the server-side session
	8	*/
	9	class SessionManager
	10	{
	11	/** @var int Session expiration timeout, in seconds */
	12	public static $INACTIVITY_TIMEOUT = 3600;
	13
	14	/ @var string Name of the cookie set after logging in /
	15	public static $LOGGED_IN_COOKIE = 'shaarli_staySignedIn';
	16
	17	/** @var array Local reference to the global $_SESSION array */
	18	protected $session = [];
	19
	20	/ @var ConfigManager Configuration Manager instance /
	21	protected $conf = null;
	22
	23	/**
	24	* Constructor
	25	*
	26	* @param array $session The $_SESSION array (reference)
	27	* @param ConfigManager $conf ConfigManager instance
	28	*/
	29	public function __construct(& $session, $conf)
	30	{
	31	$this->session = &$session;
	32	$this->conf = $conf;
	33	}
	34
	35	/**
	36	* Generates a session token
	37	*
	38	* @return string token
	39	*/
	40	public function generateToken()
	41	{
	42	$token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt'));
	43	$this->session['tokens'][$token] = 1;
	44	return $token;
	45	}
	46
	47	/**
	48	* Checks the validity of a session token, and destroys it afterwards
	49	*
	50	* @param string $token The token to check
	51	*
	52	* @return bool true if the token is valid, else false
	53	*/
	54	public function checkToken($token)
	55	{
	56	if (! isset($this->session['tokens'][$token])) {
	57	// the token is wrong, or has already been used
	58	return false;
	59	}
	60
	61	// destroy the token to prevent future use
	62	unset($this->session['tokens'][$token]);
	63	return true;
	64	}
	65
	66	/**
	67	* Validate session ID to prevent Full Path Disclosure.
	68	*
	69	* See #298.
	70	* The session ID's format depends on the hash algorithm set in PHP settings
	71	*
	72	* @param string $sessionId Session ID
	73	*
	74	* @return true if valid, false otherwise.
	75	*
	76	* @see http://php.net/manual/en/function.hash-algos.php
	77	* @see http://php.net/manual/en/session.configuration.php
	78	*/
	79	public static function checkId($sessionId)
	80	{
	81	if (empty($sessionId)) {
	82	return false;
	83	}
	84
	85	if (!$sessionId) {
	86	return false;
	87	}
	88
	89	if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) {
	90	return false;
	91	}
	92
	93	return true;
	94	}
	95
	96	/**
	97	* Store user login information after a successful login
	98	*
	99	* @param string $clientIpId Client IP address identifier
	100	*/
	101	public function storeLoginInfo($clientIpId)
	102	{
	103	// Generate unique random number (different than phpsessionid)
	104	$this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand());
	105	$this->session['ip'] = $clientIpId;
	106	$this->session['username'] = $this->conf->get('credentials.login');
	107	$this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT;
	108	}
	109
	110	/**
	111	* Extend session validity
	112	*/
	113	public function extendSession()
	114	{
	115	if (! empty($this->session['longlastingsession'])) {
	116	// "Stay signed in" is enabled
	117	$this->session['expires_on'] = time() + $this->session['longlastingsession'];
	118	return;
	119	}
	120	$this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT;
	121	}
	122
	123	/**
	124	* Logout a user by unsetting all login information
	125	*
	126	* See:
	127	* - https://secure.php.net/manual/en/function.setcookie.php
	128	*
	129	* @param string $webPath path on the server in which the cookie will be available on
	130	*/
	131	public function logout($webPath)
	132	{
	133	if (isset($this->session)) {
	134	unset($this->session['uid']);
	135	unset($this->session['ip']);
	136	unset($this->session['username']);
	137	unset($this->session['visibility']);
	138	unset($this->session['untaggedonly']);
	139	}
	140	setcookie(self::$LOGGED_IN_COOKIE, 'false', 0, $webPath);
	141	}
	142
	143	/**
	144	* Check whether the session has expired
	145	*
	146	* @param string $clientIpId Client IP address identifier
	147	*
	148	* @return bool true if the session has expired, false otherwise
	149	*/
	150	public function hasSessionExpired()
	151	{
	152	if (empty($this->session['uid'])) {
	153	return true;
	154	}
	155	if (time() >= $this->session['expires_on']) {
	156	return true;
	157	}
	158	return false;
	159	}
	160
	161	/**
	162	* Check whether the client IP address has changed
	163	*
	164	* @param string $clientIpId Client IP address identifier
	165	*
	166	* @return bool true if the IP has changed, false if it has not, or
	167	* if session protection has been disabled
	168	*/
	169	public function hasClientIpChanged($clientIpId)
	170	{
	171	if ($this->conf->get('security.session_protection_disabled') === true) {
	172	return false;
	173	}
	174	if ($this->session['ip'] == $clientIpId) {
	175	return false;
	176	}
	177	return true;
	178	}
	179	}