github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-08-20 05:14:10 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

binding session to user ips for preventing session hijack

Browse source
This commit is contained in:
Serghey Rodin 2016-07-18 16:55:33 +03:00
commit 8c2a14a71f
1 changed files with 16 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

16
web/inc/main.php
View file

@ -9,6 +9,22 @@ $i = 0;
require_once(dirname(__FILE__).'/i18n.php'); require_once(dirname(__FILE__).'/i18n.php');
// Saving user IPs to the session for preventing session hijacking
$user_combined_ip = $_SERVER['REMOTE_ADDR'] .'|'. $_SERVER['HTTP_CLIENT_IP'] .'|'. $_SERVER['HTTP_X_FORWARDED_FOR'] .'|'. $_SERVER['HTTP_X_FORWARDED'] .'|'. $_SERVER['HTTP_FORWARDED_FOR'] .'|'. $_SERVER['HTTP_FORWARDED'];
if(!isset($_SESSION['user_combined_ip'])){
$_SESSION['user_combined_ip'] = $user_combined_ip;
}
// Checking user to use session from the same IP he has been logged in
if($_SESSION['user_combined_ip'] != $user_combined_ip){
session_destroy();
$_SESSION['request_uri'] = $_SERVER['REQUEST_URI'];
header("Location: /login/");
exit;
}
// Check system settings // Check system settings
if ((!isset($_SESSION['VERSION'])) && (!defined('NO_AUTH_REQUIRED'))) { if ((!isset($_SESSION['VERSION'])) && (!defined('NO_AUTH_REQUIRED'))) {
session_destroy(); session_destroy();