Security - validate session

core/authentication/resources/classes/authentication.php

@@ -229,6 +229,9 @@ public function validate() {
 					$_SESSION["user_uuid"] = $result["user_uuid"];
 					$_SESSION["context"] = $result['domain_name'];
 
+				//used to validate the session
+					$_SESSION["user_hash"] = hash('sha256', $_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']);
+
 				//user session array
 					$_SESSION["user"]["domain_uuid"] = $result["domain_uuid"];
 					$_SESSION["user"]["domain_name"] = $result["domain_name"];
@@ -266,7 +269,7 @@ public function validate() {
 						}
 					}
 
-				//get the permissions assigned to the groups that the user is a member of set the permissions in $_SESSION['permissions']
+					//get the permissions assigned to the groups that the user is a member of set the permissions in $_SESSION['permissions']
 					if (is_array($_SESSION["groups"]) && @sizeof($_SESSION["groups"]) != 0) {
 						$x = 0;
 						$sql = "select distinct(permission_name) from v_group_permissions ";

resources/check_auth.php

@@ -42,8 +42,19 @@
 //define variables
 	if (!isset($_SESSION['template_content'])) { $_SESSION["template_content"] = null; }
 
+//if session authorized is not set then set the default value to false
+	if (!isset($_SESSION['authorized'])) {
+		$_SESSION['authorized'] = false;
+	}
+
+//validate the session address
+	if ($_SESSION['authorized'] && $_SESSION["user_hash"] !== hash('sha256', $_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'])) {
+		session_destroy();
+		header("Location: ".PROJECT_PATH."/?path=".urlencode($target_path));
+	}
+
 //if the session is not authorized then verify the identity
-	if (!isset($_SESSION['authorized']) || (isset($_SESSION['authorized']) && !$_SESSION['authorized'])) {
+	if (!$_SESSION['authorized']) {
 
 		//clear the menu
 			unset($_SESSION["menu"]);
@@ -98,4 +109,4 @@
 
 	}
 
-?>
+?>