diff --git a/config.php-dist b/config.php-dist index a17c352e0..17b2ed53f 100644 --- a/config.php-dist +++ b/config.php-dist @@ -104,5 +104,8 @@ // Store session information in a database (recommended) // Uses default PHP session storing mechanism if disabled + define('SESSION_CHECK_ADDRESS', true); + // Bind sessions to specific IP address (requires DATABASE_BACKED_SESSIONS) + // vim:ft=php ?> diff --git a/schema/ttrss_schema_mysql.sql b/schema/ttrss_schema_mysql.sql index 540fc0f22..671577cf9 100644 --- a/schema/ttrss_schema_mysql.sql +++ b/schema/ttrss_schema_mysql.sql @@ -259,6 +259,7 @@ create table ttrss_scheduled_updates (id integer not null primary key auto_incre create table ttrss_sessions (id varchar(300) unique not null primary key, data text, expire integer not null, + ip_address varchar(15) not null default '', index (id), index (expire)) TYPE=InnoDB; diff --git a/schema/ttrss_schema_pgsql.sql b/schema/ttrss_schema_pgsql.sql index c6bc45217..e393353a8 100644 --- a/schema/ttrss_schema_pgsql.sql +++ b/schema/ttrss_schema_pgsql.sql @@ -232,8 +232,9 @@ create table ttrss_scheduled_updates (id serial not null primary key, entered timestamp not null default NOW()); create table ttrss_sessions (id varchar(300) unique not null primary key, - data text, - expire integer not null); + data text, + expire integer not null, + ip_address varchar(15) not null default ''); create index ttrss_sessions_expire_index on ttrss_sessions(expire); diff --git a/schema/upgrade-1.1.3-1.1.4-mysql.sql b/schema/upgrade-1.1.3-1.1.4-mysql.sql index 32b45e897..37b3674dc 100644 --- a/schema/upgrade-1.1.3-1.1.4-mysql.sql +++ b/schema/upgrade-1.1.3-1.1.4-mysql.sql @@ -8,6 +8,7 @@ alter table ttrss_entries alter column author set default ''; create table ttrss_sessions (id varchar(300) unique not null primary key, data text, expire integer not null, + ip_address varchar(15) not null default '', index (id), index (expire)) TYPE=InnoDB; diff --git a/schema/upgrade-1.1.3-1.1.4-pgsql.sql b/schema/upgrade-1.1.3-1.1.4-pgsql.sql index d1d310f3d..0191d6ede 100644 --- a/schema/upgrade-1.1.3-1.1.4-pgsql.sql +++ b/schema/upgrade-1.1.3-1.1.4-pgsql.sql @@ -9,7 +9,8 @@ alter table ttrss_entries alter column author set default ''; create table ttrss_sessions (id varchar(300) unique not null primary key, data text, - expire integer not null); + expire integer not null, + ip_address varchar(15) not null default ''); create index ttrss_sessions_id_index on ttrss_sessions(id); create index ttrss_sessions_expire_index on ttrss_sessions(expire); diff --git a/sessions.php b/sessions.php index 54b862a39..3d931d968 100644 --- a/sessions.php +++ b/sessions.php @@ -22,7 +22,13 @@ global $session_connection,$session_read; - $query = "SELECT data FROM ttrss_sessions WHERE id='$id'"; + $ip_address = $_SERVER["REMOTE_ADDR"]; + + if (SESSION_CHECK_ADDRESS) { + $address_check_qpart = " AND ip_address = '$ip_address'"; + } + + $query = "SELECT data FROM ttrss_sessions WHERE id='$id' $address_check_qpart"; $res = db_query($session_connection, $query); @@ -47,12 +53,18 @@ $data = db_escape_string(base64_encode($data), $session_connection); + $ip_address = $_SERVER["REMOTE_ADDR"]; + + if (SESSION_CHECK_ADDRESS) { + $address_check_qpart = " AND ip_address = '$ip_address'"; + } + if ($session_read) { $query = "UPDATE ttrss_sessions SET data='$data', - expire='$expire' WHERE id='$id'"; + expire='$expire' WHERE id='$id' $address_check_qpart"; } else { - $query = "INSERT INTO ttrss_sessions (id, data, expire) - VALUES ('$id', '$data', '$expire')"; + $query = "INSERT INTO ttrss_sessions (id, data, expire, ip_address) + VALUES ('$id', '$data', '$expire', '$ip_address')"; } db_query($session_connection, $query); @@ -71,8 +83,14 @@ function destroy ($id) { global $session_connection; - - $query = "DELETE FROM ttrss_sessions WHERE id = '$id'"; + + $ip_address = $_SERVER["REMOTE_ADDR"]; + + if (SESSION_CHECK_ADDRESS) { + $address_check_qpart = " AND ip_address = '$ip_address'"; + } + + $query = "DELETE FROM ttrss_sessions WHERE id = '$id' $address_check_qpart"; db_query($session_connection, $query);