From d9ba1cdd44a7eec9e7f4d429087c6ba838ad473e Mon Sep 17 00:00:00 2001
From: ArthurHoaro <arthur@hoa.ro>
Date: Tue, 17 Jul 2018 14:13:37 +0200
Subject: Do not check the IP address with session protection disabled

This allows the user to stay logged in if his IP changes.

Fixes #1106
---
 application/security/LoginManager.php | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'application/security')

diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
index d6784d6d..5a58926d 100644
--- a/application/security/LoginManager.php
+++ b/application/security/LoginManager.php
@@ -58,6 +58,9 @@ class LoginManager
      */
     public function generateStaySignedInToken($clientIpAddress)
     {
+        if ($this->configManager->get('security.session_protection_disabled') === true) {
+            $clientIpAddress = '';
+        }
         $this->staySignedInToken = sha1(
             $this->configManager->get('credentials.hash')
             . $clientIpAddress
-- 
cgit v1.2.3