Browse Source

Adding IP restriction to sessions to further avoid session swapping.

Alan Hardman 4 years ago
parent
commit
3c2eee5f55
4 changed files with 12 additions and 2 deletions
  1. 1 0
      app/controller/index.php
  2. 3 1
      app/model/session.php
  3. 6 0
      db/15.04.06.sql
  4. 2 1
      db/database.sql

+ 1 - 0
app/controller/index.php

@@ -215,6 +215,7 @@ class Index extends \Controller {
 
 	public function logout($f3) {
 		$session = new \Model\Session;
+		$session->loadCurrent();
 		$session->delete();
 		$f3->reroute("/");
 	}

+ 3 - 1
app/model/session.php

@@ -21,6 +21,7 @@ class Session extends \Model {
 		if($user_id !== null) {
 			$this->user_id = $user_id;
 			$this->token = \Helper\Security::instance()->salt_sha2();
+			$this->ip = \Base::instance()->get("IP");
 			$this->created = date("Y-m-d H:i:s");
 			if($auto_save) {
 				$this->save();
@@ -35,9 +36,10 @@ class Session extends \Model {
 	 */
 	public function loadCurrent() {
 		$f3 = \Base::instance();
+		$ip = $f3->get("IP");
 		$token = $f3->get("COOKIE.{$this->cookie_name}");
 		if($token) {
-			$this->load(array("token = ?", $token));
+			$this->load(array("token = ? AND ip = ?", $token, $ip));
 			$expire = $f3->get("JAR.expire");
 
 

+ 6 - 0
db/15.04.06.sql

@@ -0,0 +1,6 @@
+ALTER TABLE `session`
+	ADD COLUMN `ip` VARBINARY(39) NOT NULL AFTER `token`,
+	DROP INDEX `session_token`, ADD UNIQUE INDEX `session_token` (`token`, `ip`);
+TRUNCATE `session`;
+
+UPDATE `config` SET `value` = '15.04.06' WHERE `attribute` = 'version';

+ 2 - 1
db/database.sql

@@ -259,10 +259,11 @@ DROP TABLE IF EXISTS `session`;
 CREATE TABLE `session`(
 	`id` INT UNSIGNED NOT NULL AUTO_INCREMENT,
 	`token` VARBINARY(64) NOT NULL,
+	`ip` VARBINARY(39) NOT NULL,
 	`user_id` INT UNSIGNED NOT NULL,
 	`created` DATETIME NOT NULL,
 	PRIMARY KEY (`id`),
-	UNIQUE KEY `session_token` (`token`),
+	UNIQUE KEY `session_token` (`token`, `ip`),
 	KEY `session_user_id` (`user_id`),
 	CONSTRAINT `session_user_id` FOREIGN KEY (`user_id`) REFERENCES `user`(`id`) ON UPDATE CASCADE ON DELETE CASCADE
 ) ENGINE=INNODB CHARSET=utf8 COLLATE=utf8_unicode_ci;