From 67e827e128a4c446b89f581793f64fd0f1299389 Mon Sep 17 00:00:00 2001
From: Friendika <info@friendika.com>
Date: Mon, 29 Nov 2010 23:16:14 -0800
Subject: [PATCH] paranoid option to reduce session hijacking by enforcing an
 IP match on session validation. This is not claimed to be a perfect solution
 to the problem by any stretch, it merely raises the bar on the script kiddies
 to the detriment of those whose dynamic IPs aren't long lived. For these
 reasons it is opt-in.

---
 include/auth.php | 43 ++++++++++++++++++++++++++-----------------
 1 file changed, 26 insertions(+), 17 deletions(-)

diff --git a/include/auth.php b/include/auth.php
index d82bc84d18..dd4afac239 100644
--- a/include/auth.php
+++ b/include/auth.php
@@ -1,20 +1,29 @@
 <?php
 
+
+function nuke_session() {
+	unset($_SESSION['authenticated']);
+	unset($_SESSION['uid']);
+	unset($_SESSION['visitor_id']);
+	unset($_SESSION['administrator']);
+	unset($_SESSION['cid']);
+	unset($_SESSION['theme']);
+	unset($_SESSION['page_flags']);
+}
+
+
 // login/logout 
 
+
+
+
 if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-params'))) || ($_POST['auth-params'] !== 'login'))) {
 
 	if(((x($_POST,'auth-params')) && ($_POST['auth-params'] === 'logout')) || ($a->module === 'logout')) {
 	
 		// process logout request
 
-		unset($_SESSION['authenticated']);
-		unset($_SESSION['uid']);
-		unset($_SESSION['visitor_id']);
-		unset($_SESSION['administrator']);
-		unset($_SESSION['cid']);
-		unset($_SESSION['theme']);
-		unset($_SESSION['page_flags']);
+		nuke_session();
 		notice( t('Logged out.') . EOL);
 		goaway($a->get_baseurl());
 	}
@@ -23,13 +32,19 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
 
 		// already logged in user returning
 
+		$check = get_config('system','paranoia');
+		// extra paranoia - if the IP changed, log them out
+		if($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) {
+			nuke_session();
+			goaway($a->get_baseurl());
+		}
+
 		$r = q("SELECT * FROM `user` WHERE `uid` = %d LIMIT 1",
 			intval($_SESSION['uid'])
 		);
 
 		if(! count($r)) {
-			unset($_SESSION['authenticated']);
-			unset($_SESSION['uid']);
+			nuke_session();
 			goaway($a->get_baseurl());
 		}
 
@@ -57,14 +72,7 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
 else {
 
 	if(isset($_SESSION)) {
-		unset($_SESSION['authenticated']);
-		unset($_SESSION['uid']);
-		unset($_SESSION['visitor_id']);
-		unset($_SESSION['administrator']);
-		unset($_SESSION['cid']);
-		unset($_SESSION['theme']);
-		unset($_SESSION['my_url']);
-		unset($_SESSION['page_flags']);
+		nuke_session();
 	}
 
 	if((x($_POST,'password')) && strlen($_POST['password']))
@@ -140,6 +148,7 @@ else {
 		$_SESSION['authenticated'] = 1;
 		$_SESSION['page_flags'] = $r[0]['page-flags'];
 		$_SESSION['my_url'] = $a->get_baseurl() . '/profile/' . $r[0]['nickname'];
+		$_SESSION['addr'] = $_SERVER['REMOTE_ADDR'];
 
 		notice( t("Welcome back ") . $r[0]['username'] . EOL);
 		$a->user = $r[0];