Add verify_ip security assertion

This assertion will be used app-wide. This asserts that the IP address a client uses to conenct to the app is constant throughout the the session's lifetime. This is to detect any session hijacking. If a session suddenly appears to be comming from a different IP address, the session will be killed.
author: Malf Furious <m@lfurio.us> 2016-03-05 16:48:58 -0500
committer: Malf Furious <m@lfurio.us> 2016-03-05 16:48:58 -0500
commit: a68db47508b74ccd0d7e6f8529a0f98b59dd69e0 (patch)
tree: 921b9da5f54274472aeca7e97e2c4254e4a52193
parent: 6252381a2f8c1de374a2ad35d20bc10393d6f47a (diff)
download: scrott-a68db47508b74ccd0d7e6f8529a0f98b59dd69e0.tar.gz
scrott-a68db47508b74ccd0d7e6f8529a0f98b59dd69e0.zip
1 files changed, 15 insertions, 0 deletions
diff --git a/app/class/controller.class.php b/app/class/controller.class.php
index fabd7e7..effaf78 100644
--- a/app/class/controller.class.php
+++ b/app/class/controller.class.php
@@ -32,6 +32,21 @@ abstract class Controller extends Framework
         if (isset($_SERVER['HTTPS']))
             $this->redirectTo("http://" . $_SERVER['SERVER_NAME'] . $this->ap());
     }
+
+    /*
+     * Security check
+     * Assert that the client's IP address does not change during its session. If a change is detected, logout.
+     */
+    function sec_verify_ip()
+    {
+        $addr = $_SERVER['REMOTE_ADDR'];
+
+        if ($this->getCurrentUser() && $addr != $this->getOriginIP())
+        {
+            $this->setCurrentUser();
+            $this->redirectTo($this->ar() . "/");
+        }
+    }
 }
 
 ?>
author	Malf Furious <m@lfurio.us>	2016-03-05 16:48:58 -0500
committer	Malf Furious <m@lfurio.us>	2016-03-05 16:48:58 -0500
commit	a68db47508b74ccd0d7e6f8529a0f98b59dd69e0 (patch)
tree	921b9da5f54274472aeca7e97e2c4254e4a52193
parent	6252381a2f8c1de374a2ad35d20bc10393d6f47a (diff)
download	scrott-a68db47508b74ccd0d7e6f8529a0f98b59dd69e0.tar.gz scrott-a68db47508b74ccd0d7e6f8529a0f98b59dd69e0.zip