// then all addresses are ALLOWED EXCEPT those listed.
// $CFG->allowemailaddresses = "myschool.edu.au hotmail.com";
// $CFG->denyemailaddresses = "hotmail.com yahoo.com";
+//
+// If this setting is set to true, then Moodle will track the IP of the
+// current user to make sure it hasn't changed during a session. This
+// will prevent the possibility of sessions being hijacked via XSS, but it
+// may break things for users coming using proxies that change all the time,
+// like AOL.
+// $CFG->tracksessionip = true;
//=========================================================================
// ALL DONE! To continue installation, visit your main page with a browser
$string['modulerequirementsnotmet'] = 'Module \"$a->modulename\" ($a->moduleversion) could not be installed. It requires a newer version of Moodle (currently you are using $a->currentmoodle, you need $a->requiremoodle).';
$string['notavailable'] = 'That is not currently available';
$string['restricteduser'] = 'Sorry, but your current account \"$a\" is restricted from doing that.';
+$string['sessionipnomatch'] = 'Sorry, but your IP number seems to have changed from when you first logged in. This security feature prevents crackers stealing your identity while logged in to this site. Normal users should not be seeing this message - please ask the site administrator for help.';
$string['unknowncourse'] = 'Unknown course named \"$a\"';
$string['usernotaddederror'] = 'User \"$a\" not added - unknown error';
$string['usernotaddedregistered'] = 'User \"$a\" not added - already registered';
die;
}
+ // Make sure current IP matches the one for this session (if required)
+ if (!empty($CFG->tracksessionip)) {
+ if ($USER->sessionIP != md5(getremoteaddr())) {
+ error(get_string('sessionipnomatch', 'error'));
+ }
+ }
+
// Next, check if the user can be in a particular course
if ($courseid) {
if ($courseid == SITEID) {
* Creates a bare-bones user record
*
* @uses $CFG
- * @uses $REMOTE_ADDR
* @param string $username New user's username to add to record
* @param string $password New user's password to add to record
* @param string $auth Form of authentication required
* @todo Outline auth types and provide code example
*/
function create_user_record($username, $password, $auth='') {
- global $REMOTE_ADDR, $CFG;
+ global $CFG;
//just in case check text case
$username = trim(moodle_strtolower($username));
$newuser->confirmed = 1;
$newuser->site = $CFG->wwwroot;
$newuser->lang = $CFG->lang;
+ $newuser->lastIP = getremoteaddr();
}
return $newuser;
if ($md5password <> $user->password) { // Update local copy of password for reference
set_field('user', 'password', $md5password, 'username', $username);
}
- // update user record from external DB
- if ($user->auth != 'manual' && $user->auth != 'email'){
+ if (!is_internal_auth()) { // update user record from external DB
$user = update_user_record($username);
}
} else {
}
}
} else {
- if ( record_exists('user_coursecreators', 'userid', $user->id)) {
+ if (record_exists('user_coursecreators', 'userid', $user->id)) {
if (! delete_records('user_coursecreators', 'userid', $user->id)) {
error('Cannot remove user from course creators.');
}
}
}
}
+ $user->sessionIP = md5(getremoteaddr()); // Store the current IP in the session
return $user;
} else {
projects / moodle.git / commitdiff