Permalink
Browse files

New config variable $CFG->tracksessionip will force Moodle to always

check that the user's IP number never changes
  • Loading branch information...
1 parent 3f58d60 commit 366dfa6090104f9fd7397547a25e3633516a8834 moodler committed Sep 27, 2004
Showing with 20 additions and 5 deletions.
  1. +7 −0 config-dist.php
  2. +1 −0 lang/en/error.php
  3. +12 −5 lib/moodlelib.php
View
@@ -188,6 +188,13 @@
// then all addresses are ALLOWED EXCEPT those listed.
// $CFG->allowemailaddresses = "myschool.edu.au hotmail.com";
// $CFG->denyemailaddresses = "hotmail.com yahoo.com";
+//
+// If this setting is set to true, then Moodle will track the IP of the
+// current user to make sure it hasn't changed during a session. This
+// will prevent the possibility of sessions being hijacked via XSS, but it
+// may break things for users coming using proxies that change all the time,
+// like AOL.
+// $CFG->tracksessionip = true;
//=========================================================================
// ALL DONE! To continue installation, visit your main page with a browser
View
@@ -12,6 +12,7 @@
$string['modulerequirementsnotmet'] = 'Module \"$a->modulename\" ($a->moduleversion) could not be installed. It requires a newer version of Moodle (currently you are using $a->currentmoodle, you need $a->requiremoodle).';
$string['notavailable'] = 'That is not currently available';
$string['restricteduser'] = 'Sorry, but your current account \"$a\" is restricted from doing that.';
+$string['sessionipnomatch'] = 'Sorry, but your IP number seems to have changed from when you first logged in. This security feature prevents crackers stealing your identity while logged in to this site. Normal users should not be seeing this message - please ask the site administrator for help.';
$string['unknowncourse'] = 'Unknown course named \"$a\"';
$string['usernotaddederror'] = 'User \"$a\" not added - unknown error';
$string['usernotaddedregistered'] = 'User \"$a\" not added - already registered';
View
@@ -588,6 +588,13 @@ function require_login($courseid=0, $autologinguest=true) {
die;
}
+ // Make sure current IP matches the one for this session (if required)
+ if (!empty($CFG->tracksessionip)) {
+ if ($USER->sessionIP != md5(getremoteaddr())) {
+ error(get_string('sessionipnomatch', 'error'));
+ }
+ }
+
// Next, check if the user can be in a particular course
if ($courseid) {
if ($courseid == SITEID) {
@@ -1076,15 +1083,14 @@ function get_user_fieldnames() {
* Creates a bare-bones user record
*
* @uses $CFG
- * @uses $REMOTE_ADDR
* @param string $username New user's username to add to record
* @param string $password New user's password to add to record
* @param string $auth Form of authentication required
* @return user A {@link $USER} object
* @todo Outline auth types and provide code example
*/
function create_user_record($username, $password, $auth='') {
- global $REMOTE_ADDR, $CFG;
+ global $CFG;
//just in case check text case
$username = trim(moodle_strtolower($username));
@@ -1160,6 +1166,7 @@ function guest_user() {
$newuser->confirmed = 1;
$newuser->site = $CFG->wwwroot;
$newuser->lang = $CFG->lang;
+ $newuser->lastIP = getremoteaddr();
}
return $newuser;
@@ -1226,8 +1233,7 @@ function authenticate_user_login($username, $password) {
if ($md5password <> $user->password) { // Update local copy of password for reference
set_field('user', 'password', $md5password, 'username', $username);
}
- // update user record from external DB
- if ($user->auth != 'manual' && $user->auth != 'email'){
+ if (!is_internal_auth()) { // update user record from external DB
$user = update_user_record($username);
}
} else {
@@ -1243,13 +1249,14 @@ function authenticate_user_login($username, $password) {
}
}
} else {
- if ( record_exists('user_coursecreators', 'userid', $user->id)) {
+ if (record_exists('user_coursecreators', 'userid', $user->id)) {
if (! delete_records('user_coursecreators', 'userid', $user->id)) {
error('Cannot remove user from course creators.');
}
}
}
}
+ $user->sessionIP = md5(getremoteaddr()); // Store the current IP in the session
return $user;
} else {

0 comments on commit 366dfa6

Please sign in to comment.