<?php if (!defined('PmWiki')) exit();
/**
*  GNU GPL v2 :-)
*
*  Copyright (C) 2007 Sven van Bolt <sven@svenvanbolt.de>
*
*  SessionGuard.php is free software; you can redistribute it and/or modify
*  it under the terms of the GNU General Public License as published by
*  the Free Software Foundation; either version 2 of the License, or
*  (at your option) any later version.
*
*  LoginGuard.php is distributed in the hope that it will be useful,
*  but WITHOUT ANY WARRANTY; without even the implied warranty of
*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
*  GNU General Public License for more details.
*
*  You can view the GNU General Public License at URL
*
*     http://www.gnu.org/copyleft/gpl.html
**/

# usage:  require(LoginGuard.php); >>BEFORE<< AuthUser included

$RecipeInfo['SessionGuard']['Version'] = '2.2';

$userip = $_SERVER['REMOTE_ADDR'];
  # I don't care about X_VIA and CLIENT_IP because I can fake them

#----- 8< --== paranoia section ==-- 8< ----- 8< ----- 8< ----- 8< ----- 8< ----- 8< -----

$userip = preg_replace('!\d+$!', '*', $userip);

# Comment out above line to match all four segments of the IP address instead of only the
# first three ones. This will lower the risk of session theft even more, but will block
# out users using proxy farms, e.g. AOL users using the default AOL proxy services.

#----- >8 --== paranoia section ==-- >8 ----- >8 ----- >8 ----- >8 ----- >8 ----- >8 -----


$session_theft = false;

session_start();

if (!isset($_SESSION['BindSession::IP']))
{
  $_SESSION['BindSession::IP'] = $userip;
}
else
{
  if ($_SESSION['BindSession::IP'] != $userip) { $session_theft = true; }
}


$user_agent = ( isset($_SERVER['HTTP_USER_AGENT']) ? (string)$_SERVER['HTTP_USER_AGENT'] : '' );

if (!isset($_SESSION['BindSession::UA']))
{
  $_SESSION['BindSession::UA'] = $user_agent;
}
else
{
  if ($_SESSION['BindSession::UA'] != $user_agent) { $session_theft = true; }
}

session_write_close();

if ($session_theft)
{
  setcookie(session_name(), '', 1, ini_get('session.cookie_path'));
  Redirect('Site/InvalidLoginInformation');
    # make sure anonymous users can read the Redirect()ed page!
}