Do not check the IP address with session protection disabled

This allows the user to stay logged in if his IP changes. Fixes #1106
2018-07-17 14:13:37 +02:00 · 2018-07-17 14:13:37 +02:00 · d9ba1cdd44
parent 5d32c50ad7
commit d9ba1cdd44
2 changed files with 17 additions and 0 deletions
--- a/application/security/LoginManager.php
+++ b/application/security/LoginManager.php
@ -58,6 +58,9 @@ class LoginManager
     */
    public function generateStaySignedInToken($clientIpAddress)
    {
+        if ($this->configManager->get('security.session_protection_disabled') === true) {
+            $clientIpAddress = '';
+        }
        $this->staySignedInToken = sha1(
            $this->configManager->get('credentials.hash')
            . $clientIpAddress
--- a/tests/security/LoginManagerTest.php
+++ b/tests/security/LoginManagerTest.php
@ -259,6 +259,20 @@ class LoginManagerTest extends TestCase
        );
    }

+    /**
+     * Generate a token depending on the user credentials with session protected disabled
+     */
+    public function testGenerateStaySignedInTokenSessionProtectionDisabled()
+    {
+        $this->configManager->set('security.session_protection_disabled', true);
+        $this->loginManager->generateStaySignedInToken($this->clientIpAddress);
+
+        $this->assertEquals(
+            sha1($this->passwordHash . $this->salt),
+            $this->loginManager->getStaySignedInToken()
+        );
+    }
+
    /**
     * Check user login - Shaarli has not yet been configured
     */