From: moodler Date: Mon, 27 Sep 2004 14:35:37 +0000 (+0000) Subject: New config variable $CFG->tracksessionip will force Moodle to always X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=366dfa6090104f9fd7397547a25e3633516a8834;p=moodle.git New config variable $CFG->tracksessionip will force Moodle to always check that the user's IP number never changes --- diff --git a/config-dist.php b/config-dist.php index 985025803b..b28ce14cfb 100644 --- a/config-dist.php +++ b/config-dist.php @@ -188,6 +188,13 @@ $CFG->defaultblocks = 'participants,activity_modules,search_forums,admin,course_ // then all addresses are ALLOWED EXCEPT those listed. // $CFG->allowemailaddresses = "myschool.edu.au hotmail.com"; // $CFG->denyemailaddresses = "hotmail.com yahoo.com"; +// +// If this setting is set to true, then Moodle will track the IP of the +// current user to make sure it hasn't changed during a session. This +// will prevent the possibility of sessions being hijacked via XSS, but it +// may break things for users coming using proxies that change all the time, +// like AOL. +// $CFG->tracksessionip = true; //========================================================================= // ALL DONE! To continue installation, visit your main page with a browser diff --git a/lang/en/error.php b/lang/en/error.php index c53afb5fc1..f9a652f2ea 100755 --- a/lang/en/error.php +++ b/lang/en/error.php @@ -12,6 +12,7 @@ $string['missingfield'] = 'Field \"$a\" is missing'; $string['modulerequirementsnotmet'] = 'Module \"$a->modulename\" ($a->moduleversion) could not be installed. It requires a newer version of Moodle (currently you are using $a->currentmoodle, you need $a->requiremoodle).'; $string['notavailable'] = 'That is not currently available'; $string['restricteduser'] = 'Sorry, but your current account \"$a\" is restricted from doing that.'; +$string['sessionipnomatch'] = 'Sorry, but your IP number seems to have changed from when you first logged in. This security feature prevents crackers stealing your identity while logged in to this site. Normal users should not be seeing this message - please ask the site administrator for help.'; $string['unknowncourse'] = 'Unknown course named \"$a\"'; $string['usernotaddederror'] = 'User \"$a\" not added - unknown error'; $string['usernotaddedregistered'] = 'User \"$a\" not added - already registered'; diff --git a/lib/moodlelib.php b/lib/moodlelib.php index c85a0dff1a..e206ece15d 100644 --- a/lib/moodlelib.php +++ b/lib/moodlelib.php @@ -588,6 +588,13 @@ function require_login($courseid=0, $autologinguest=true) { die; } + // Make sure current IP matches the one for this session (if required) + if (!empty($CFG->tracksessionip)) { + if ($USER->sessionIP != md5(getremoteaddr())) { + error(get_string('sessionipnomatch', 'error')); + } + } + // Next, check if the user can be in a particular course if ($courseid) { if ($courseid == SITEID) { @@ -1076,7 +1083,6 @@ function get_user_fieldnames() { * Creates a bare-bones user record * * @uses $CFG - * @uses $REMOTE_ADDR * @param string $username New user's username to add to record * @param string $password New user's password to add to record * @param string $auth Form of authentication required @@ -1084,7 +1090,7 @@ function get_user_fieldnames() { * @todo Outline auth types and provide code example */ function create_user_record($username, $password, $auth='') { - global $REMOTE_ADDR, $CFG; + global $CFG; //just in case check text case $username = trim(moodle_strtolower($username)); @@ -1160,6 +1166,7 @@ function guest_user() { $newuser->confirmed = 1; $newuser->site = $CFG->wwwroot; $newuser->lang = $CFG->lang; + $newuser->lastIP = getremoteaddr(); } return $newuser; @@ -1226,8 +1233,7 @@ function authenticate_user_login($username, $password) { if ($md5password <> $user->password) { // Update local copy of password for reference set_field('user', 'password', $md5password, 'username', $username); } - // update user record from external DB - if ($user->auth != 'manual' && $user->auth != 'email'){ + if (!is_internal_auth()) { // update user record from external DB $user = update_user_record($username); } } else { @@ -1243,13 +1249,14 @@ function authenticate_user_login($username, $password) { } } } else { - if ( record_exists('user_coursecreators', 'userid', $user->id)) { + if (record_exists('user_coursecreators', 'userid', $user->id)) { if (! delete_records('user_coursecreators', 'userid', $user->id)) { error('Cannot remove user from course creators.'); } } } } + $user->sessionIP = md5(getremoteaddr()); // Store the current IP in the session return $user; } else {