From bfaa0a67ef3afdb723a1a2d95bf7534c84f80e11 Mon Sep 17 00:00:00 2001
From: Sebastian Grewe <sebastian@grewe.ca>
Date: Thu, 13 Jun 2013 13:59:45 +0200
Subject: [PATCH] Enforce session logout if IP address changed

Fixes #179
---
 public/include/classes/user.class.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/public/include/classes/user.class.php b/public/include/classes/user.class.php
index 9e69b01d..9d747d34 100644
--- a/public/include/classes/user.class.php
+++ b/public/include/classes/user.class.php
@@ -44,6 +44,9 @@ class User {
   public function getUserToken($id) {
     return $this->getSingle($id, 'token', 'id');
   }
+  public function getUserIp($id) {
+    return $this->getSingle($id, 'loggedIp', 'id');
+  }
   public function getIdFromToken($token) {
     return $this->getSingle($token, 'id', 'token', 's');
   }
@@ -546,7 +549,7 @@ class User {
    **/
   public function isAuthenticated() {
     $this->debug->append("STA " . __METHOD__, 4);
-    if ($_SESSION['AUTHENTICATED'] == true && ! $this->isLocked($_SESSION['USERDATA']['id']))
+    if ($_SESSION['AUTHENTICATED'] == true && ! $this->isLocked($_SESSION['USERDATA']['id']) && $this->getUserIp($_SESSION['USERDATA']['id']) == $_SERVER['REMOTE_ADDR'])
       return true;
     // Catchall
     $this->logoutUser();