Session: remove checks for matching IP address and user agent

This was considered good practice in the days before always-on https,
but is considered superfluous today. It even gets in the way of IPv6
privacy extensions, which is the main argument for removing them today.

models/Session.php

@@ -12,28 +12,6 @@ class Session
 	{
 		session_start();
 
-		// Resuming an existing session? Check what we know!
-		if (isset($_SESSION['user_id'], $_SESSION['ip_address'], $_SESSION['user_agent']))
-		{
-			// If we're not browsing over HTTPS, protect against session hijacking.
-			if (!isset($_SERVER['HTTPS']) && isset($_SERVER['REMOTE_ADDR']) && $_SESSION['ip_address'] !== $_SERVER['REMOTE_ADDR'])
-			{
-				$_SESSION = [];
-				Dispatcher::kickGuest('Your session failed to validate', 'Your IP address has changed. Please re-login and try again.');
-			}
-			// Either way, require re-login if the browser identifier has changed.
-			elseif (isset($_SERVER['HTTP_USER_AGENT']) && $_SESSION['user_agent'] !== $_SERVER['HTTP_USER_AGENT'])
-			{
-				$_SESSION = [];
-				Dispatcher::kickGuest('Your session failed to validate', 'Your browser identifier has changed. Please re-login and try again.');
-			}
-		}
-		elseif (!isset($_SESSION['ip_address'], $_SESSION['user_agent']))
-			$_SESSION = [
-				'ip_address' => isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '',
-				'user_agent' => isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '',
-			];
-
 		return true;
 	}