Do not check the IP address with session protection disabled

This allows the user to stay logged in if his IP changes.

Fixes #1106
This commit is contained in:
ArthurHoaro 2018-07-17 14:13:37 +02:00
parent 5d32c50ad7
commit d9ba1cdd44
2 changed files with 17 additions and 0 deletions

View file

@ -58,6 +58,9 @@ class LoginManager
*/
public function generateStaySignedInToken($clientIpAddress)
{
if ($this->configManager->get('security.session_protection_disabled') === true) {
$clientIpAddress = '';
}
$this->staySignedInToken = sha1(
$this->configManager->get('credentials.hash')
. $clientIpAddress

View file

@ -259,6 +259,20 @@ class LoginManagerTest extends TestCase
);
}
/**
* Generate a token depending on the user credentials with session protected disabled
*/
public function testGenerateStaySignedInTokenSessionProtectionDisabled()
{
$this->configManager->set('security.session_protection_disabled', true);
$this->loginManager->generateStaySignedInToken($this->clientIpAddress);
$this->assertEquals(
sha1($this->passwordHash . $this->salt),
$this->loginManager->getStaySignedInToken()
);
}
/**
* Check user login - Shaarli has not yet been configured
*/