From 5f778d73b41884cebdcee7b95bbe7b07ae57913f Mon Sep 17 00:00:00 2001 From: Aaron van Geffen Date: Mon, 20 Nov 2023 20:58:20 +0100 Subject: [PATCH] Session: remove checks for matching IP address and user agent This was considered good practice in the days before always-on https, but is considered superfluous today. It even gets in the way of IPv6 privacy extensions, which is the main argument for removing them today. --- models/Session.php | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/models/Session.php b/models/Session.php index 22e08448..ebf5bf35 100644 --- a/models/Session.php +++ b/models/Session.php @@ -12,28 +12,6 @@ class Session { session_start(); - // Resuming an existing session? Check what we know! - if (isset($_SESSION['user_id'], $_SESSION['ip_address'], $_SESSION['user_agent'])) - { - // If we're not browsing over HTTPS, protect against session hijacking. - if (!isset($_SERVER['HTTPS']) && isset($_SERVER['REMOTE_ADDR']) && $_SESSION['ip_address'] !== $_SERVER['REMOTE_ADDR']) - { - $_SESSION = []; - Dispatcher::kickGuest('Your session failed to validate', 'Your IP address has changed. Please re-login and try again.'); - } - // Either way, require re-login if the browser identifier has changed. - elseif (isset($_SERVER['HTTP_USER_AGENT']) && $_SESSION['user_agent'] !== $_SERVER['HTTP_USER_AGENT']) - { - $_SESSION = []; - Dispatcher::kickGuest('Your session failed to validate', 'Your browser identifier has changed. Please re-login and try again.'); - } - } - elseif (!isset($_SESSION['ip_address'], $_SESSION['user_agent'])) - $_SESSION = [ - 'ip_address' => isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '', - 'user_agent' => isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '', - ]; - return true; }