add more control to auth paranoia setting

2014-07-20 00:24:12 -07:00 · 2014-07-20 00:24:12 -07:00 · f65890091e
commit f65890091e
parent 67000917f4
3 changed files with 966 additions and 905 deletions
--- a/include/auth.php
+++ b/include/auth.php
@ -130,11 +130,34 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
 		if($_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) {
 			logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
-			if(get_config('system','paranoia')) {
+
 			$partial1 = substr($_SESSION['addr'],0,strrpos($_SESSION['addr'],'.')); 
 			$partial2 = substr($_SERVER['REMOTE_ADDR'],0,strrpos($_SERVER['REMOTE_ADDR'],'.')); 
 			$paranoia = intval(get_config('system','paranoia'));
 			switch($paranoia) {
 				case 0:
 					// no IP checking
 					break;
 				case 2:
 					// check 2 octets
 					$partial1 = substr($partial1,0,strrpos($partial1,'.')); 
 					$partial2 = substr($partial2,0,strrpos($partial2,'.')); 
 					if($partial1 == $partial2)
 						break;
 				case 1:
 					// check 3 octets
 					if($partial1 == $partial2)
 						break;
 				case 3:
 				default:
 					// check any difference at all
 					logger('Session address changed. Paranoid setting in effect, blocking session. ' 
 					. $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
 					nuke_session();
 					goaway(z_root());
 					break;
 			}
 		}
--- a/util/messages.po
+++ b/util/messages.po
--- a/version.inc
+++ b/version.inc
@ -1 +1 @@
-2014-07-17.739
+2014-07-20.742