1 year ago · bbf714f218
--- a/core/authentication/resources/classes/authentication.php
+++ b/core/authentication/resources/classes/authentication.php
@@ -169,12 +169,15 @@ class authentication {
 
				 // 			}
			
 
				 // 			$result["authorized"] = $authorized;
			
 
				 
			
 
				-		//add user logs
			
 
				+		//add the result to the user logs
			
 
				 			user_logs::add($result);
			
 
				 
			
 
				 		//user is authorized - get user settings, check user cidr
			
 
				 			if ($authorized) {
			
 
				 
			
 
				+				//regenerate the session on login
			
 
				+					session_regenerate_id(true);
			
 
				+
			
 
				 				//set a session variable to indicate authorized is set to true
			
 
				 					$_SESSION['authorized'] = true;
			
 
				 
			
@@ -229,8 +232,15 @@ class authentication {
 
				 					$_SESSION["user_uuid"] = $result["user_uuid"];
			
 
				 					$_SESSION["context"] = $result['domain_name'];
			
 
				 
			
 
				-				//used to validate the session
			
 
				-					$_SESSION["user_hash"] = hash('sha256', $_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']);
			
 
				+				//build the session server array to validate the session
			
 
				+					global $conf;
			
 
				+					if (!isset($conf['session.validate'])) { $conf['session.validate'][] = 'HTTP_USER_AGENT'; }
			
 
				+					foreach($conf['session.validate'] as $name) {
			
 
				+						$server_array[$name] = $_SERVER[$name];
			
 
				+					}
			
 
				+
			
 
				+				//save the user hash to be used in validate the session
			
 
				+					$_SESSION["user_hash"] = hash('sha256', implode($server_array));
			
 
				 
			
 
				 				//user session array
			
 
				 					$_SESSION["user"]["domain_uuid"] = $result["domain_uuid"];
			
@@ -448,4 +458,4 @@ $response = $auth->validate();
 
				 print_r($response);
			
 
				 */
			
 
				 
			
 
				-?>
			
 
				+?>
			
--- a/resources/check_auth.php
+++ b/resources/check_auth.php
@@ -75,8 +75,18 @@
 
				 		$_SESSION['authorized'] = false;
			
 
				 	}
			
 
				 
			
 
				-//validate the session address
			
 
				-	if ($_SESSION['authorized'] && $_SESSION["user_hash"] !== hash('sha256', $_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'])) {
			
 
				+//session validate: use HTTP_USER_AGENT as a default value
			
 
				+	if (!isset($conf['session.validate'])) {
			
 
				+		$conf['session.validate'][] = 'HTTP_USER_AGENT';
			
 
				+	}
			
 
				+
			
 
				+//session validate: prepare the server array
			
 
				+	foreach($conf['session.validate'] as $name) {
			
 
				+		$server_array[$name] = $_SERVER[$name];
			
 
				+	}
			
 
				+
			
 
				+//session validate: check to see if the session is valid
			
 
				+	if ($_SESSION['authorized'] && $_SESSION["user_hash"] !== hash('sha256', implode($server_array))) {
			
 
				 		session_destroy();
			
 
				 		header("Location: ".PROJECT_PATH."/logout.php");
			
 
				 	}