add user agent to session for additional security

(I know it's easily fakeable, but I can live with that)
author: Christian Stocker <me@chregu.tv> 2011-02-22 11:25:25 +0100
committer: Christian Stocker <me@chregu.tv> 2011-02-22 11:25:25 +0100
commit: af3456c75eb0f6fc5fe25fff8331b5972e48de95 (patch)
tree: c20cf0aa53ba54e04fca0b900aeb700b0f910bc9
parent: d3dd5da5b298719da77ef8b607c72b0fbd4818ff (diff)
download: GoogleAuthenticator.php-af3456c75eb0f6fc5fe25fff8331b5972e48de95.zip
GoogleAuthenticator.php-af3456c75eb0f6fc5fe25fff8331b5972e48de95.tar.gz
GoogleAuthenticator.php-af3456c75eb0f6fc5fe25fff8331b5972e48de95.tar.bz2
1 files changed, 4 insertions, 1 deletions
diff --git a/web/Users.php b/web/Users.php
index 37d7e02..f934759 100644
--- a/web/Users.php
+++ b/web/Users.php
@@ -59,6 +59,7 @@ class User {
     function doLogin() {
         session_regenerate_id();
         $_SESSION['loggedin'] = true;
+        $_SESSION['ua'] = $_SERVER['HTTP_USER_AGENT'];
     }
     
     function doOTP() {
@@ -74,7 +75,9 @@ class User {
         
     }
     function isLoggedIn() {
-        if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true) {
+        if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true &&
+            isset($_SESSION['ua']) && $_SESSION['ua'] == $_SERVER['HTTP_USER_AGENT']
+        ) {
             
             return $_SESSION['username'];
         }
author	Christian Stocker <me@chregu.tv>	2011-02-22 11:25:25 +0100
committer	Christian Stocker <me@chregu.tv>	2011-02-22 11:25:25 +0100
commit	af3456c75eb0f6fc5fe25fff8331b5972e48de95 (patch)
tree	c20cf0aa53ba54e04fca0b900aeb700b0f910bc9
parent	d3dd5da5b298719da77ef8b607c72b0fbd4818ff (diff)
download	GoogleAuthenticator.php-af3456c75eb0f6fc5fe25fff8331b5972e48de95.zip GoogleAuthenticator.php-af3456c75eb0f6fc5fe25fff8331b5972e48de95.tar.gz GoogleAuthenticator.php-af3456c75eb0f6fc5fe25fff8331b5972e48de95.tar.bz2