From d9ba1cdd44a7eec9e7f4d429087c6ba838ad473e Mon Sep 17 00:00:00 2001 From: ArthurHoaro Date: Tue, 17 Jul 2018 14:13:37 +0200 Subject: Do not check the IP address with session protection disabled This allows the user to stay logged in if his IP changes. Fixes #1106 --- application/security/LoginManager.php | 3 +++ 1 file changed, 3 insertions(+) (limited to 'application') diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php index d6784d6d..5a58926d 100644 --- a/application/security/LoginManager.php +++ b/application/security/LoginManager.php @@ -58,6 +58,9 @@ class LoginManager */ public function generateStaySignedInToken($clientIpAddress) { + if ($this->configManager->get('security.session_protection_disabled') === true) { + $clientIpAddress = ''; + } $this->staySignedInToken = sha1( $this->configManager->get('credentials.hash') . $clientIpAddress -- cgit v1.2.3