binding session to user ips for preventing session hijack

serghey-rodin · serghey-rodin · commit 8c2a14a71f61 · 2016-07-18T16:55:33.000+03:00
diff --git a/web/inc/main.php b/web/inc/main.php
@@ -9,6 +9,22 @@
 
 require_once(dirname(__FILE__).'/i18n.php');
 
+
+// Saving user IPs to the session for preventing session hijacking
+$user_combined_ip = $_SERVER['REMOTE_ADDR'] .'|'. $_SERVER['HTTP_CLIENT_IP'] .'|'. $_SERVER['HTTP_X_FORWARDED_FOR'] .'|'. $_SERVER['HTTP_X_FORWARDED'] .'|'. $_SERVER['HTTP_FORWARDED_FOR'] .'|'. $_SERVER['HTTP_FORWARDED'];
+
+if(!isset($_SESSION['user_combined_ip'])){
+    $_SESSION['user_combined_ip'] = $user_combined_ip;
+}
+
+// Checking user to use session from the same IP he has been logged in
+if($_SESSION['user_combined_ip'] != $user_combined_ip){
+    session_destroy();
+    $_SESSION['request_uri'] = $_SERVER['REQUEST_URI'];
+    header("Location: /login/");
+    exit;
+}
+
 // Check system settings
 if ((!isset($_SESSION['VERSION'])) && (!defined('NO_AUTH_REQUIRED'))) {
     session_destroy();
