* * SessionGuard.php is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * LoginGuard.php is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You can view the GNU General Public License at URL * * http://www.gnu.org/copyleft/gpl.html **/ # usage: require(LoginGuard.php); >>BEFORE<< AuthUser included $RecipeInfo['SessionGuard']['Version'] = '2.2'; $userip = $_SERVER['REMOTE_ADDR']; # I don't care about X_VIA and CLIENT_IP because I can fake them #----- 8< --== paranoia section ==-- 8< ----- 8< ----- 8< ----- 8< ----- 8< ----- 8< ----- $userip = preg_replace('!\d+$!', '*', $userip); # Comment out above line to match all four segments of the IP address instead of only the # first three ones. This will lower the risk of session theft even more, but will block # out users using proxy farms, e.g. AOL users using the default AOL proxy services. #----- >8 --== paranoia section ==-- >8 ----- >8 ----- >8 ----- >8 ----- >8 ----- >8 ----- $session_theft = false; session_start(); if (!isset($_SESSION['BindSession::IP'])) { $_SESSION['BindSession::IP'] = $userip; } else { if ($_SESSION['BindSession::IP'] != $userip) { $session_theft = true; } } $user_agent = ( isset($_SERVER['HTTP_USER_AGENT']) ? (string)$_SERVER['HTTP_USER_AGENT'] : '' ); if (!isset($_SESSION['BindSession::UA'])) { $_SESSION['BindSession::UA'] = $user_agent; } else { if ($_SESSION['BindSession::UA'] != $user_agent) { $session_theft = true; } } session_write_close(); if ($session_theft) { setcookie(session_name(), '', 1, ini_get('session.cookie_path')); Redirect('Site/InvalidLoginInformation'); # make sure anonymous users can read the Redirect()ed page! }