Session: remove checks for matching IP address and user agent
This was considered good practice in the days before always-on https, but is considered superfluous today. It even gets in the way of IPv6 privacy extensions, which is the main argument for removing them today.
This commit is contained in:
parent
2ec565242e
commit
5f778d73b4
@ -12,28 +12,6 @@ class Session
|
|||||||
{
|
{
|
||||||
session_start();
|
session_start();
|
||||||
|
|
||||||
// Resuming an existing session? Check what we know!
|
|
||||||
if (isset($_SESSION['user_id'], $_SESSION['ip_address'], $_SESSION['user_agent']))
|
|
||||||
{
|
|
||||||
// If we're not browsing over HTTPS, protect against session hijacking.
|
|
||||||
if (!isset($_SERVER['HTTPS']) && isset($_SERVER['REMOTE_ADDR']) && $_SESSION['ip_address'] !== $_SERVER['REMOTE_ADDR'])
|
|
||||||
{
|
|
||||||
$_SESSION = [];
|
|
||||||
Dispatcher::kickGuest('Your session failed to validate', 'Your IP address has changed. Please re-login and try again.');
|
|
||||||
}
|
|
||||||
// Either way, require re-login if the browser identifier has changed.
|
|
||||||
elseif (isset($_SERVER['HTTP_USER_AGENT']) && $_SESSION['user_agent'] !== $_SERVER['HTTP_USER_AGENT'])
|
|
||||||
{
|
|
||||||
$_SESSION = [];
|
|
||||||
Dispatcher::kickGuest('Your session failed to validate', 'Your browser identifier has changed. Please re-login and try again.');
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif (!isset($_SESSION['ip_address'], $_SESSION['user_agent']))
|
|
||||||
$_SESSION = [
|
|
||||||
'ip_address' => isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '',
|
|
||||||
'user_agent' => isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '',
|
|
||||||
];
|
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user