|
|
@@ -9,6 +9,22 @@ $i = 0;
|
|
|
|
|
|
require_once(dirname(__FILE__).'/i18n.php');
|
|
|
|
|
|
+
|
|
|
+// Saving user IPs to the session for preventing session hijacking
|
|
|
+$user_combined_ip = $_SERVER['REMOTE_ADDR'] .'|'. $_SERVER['HTTP_CLIENT_IP'] .'|'. $_SERVER['HTTP_X_FORWARDED_FOR'] .'|'. $_SERVER['HTTP_X_FORWARDED'] .'|'. $_SERVER['HTTP_FORWARDED_FOR'] .'|'. $_SERVER['HTTP_FORWARDED'];
|
|
|
+
|
|
|
+if(!isset($_SESSION['user_combined_ip'])){
|
|
|
+ $_SESSION['user_combined_ip'] = $user_combined_ip;
|
|
|
+}
|
|
|
+
|
|
|
+// Checking user to use session from the same IP he has been logged in
|
|
|
+if($_SESSION['user_combined_ip'] != $user_combined_ip){
|
|
|
+ session_destroy();
|
|
|
+ $_SESSION['request_uri'] = $_SERVER['REQUEST_URI'];
|
|
|
+ header("Location: /login/");
|
|
|
+ exit;
|
|
|
+}
|
|
|
+
|
|
|
// Check system settings
|
|
|
if ((!isset($_SESSION['VERSION'])) && (!defined('NO_AUTH_REQUIRED'))) {
|
|
|
session_destroy();
|
Serghey Rodin