Do not check the IP address with session protection disabled
This allows the user to stay logged in if his IP changes. Fixes #1106
This commit is contained in:
parent
5d32c50ad7
commit
d9ba1cdd44
2 changed files with 17 additions and 0 deletions
|
@ -58,6 +58,9 @@ class LoginManager
|
|||
*/
|
||||
public function generateStaySignedInToken($clientIpAddress)
|
||||
{
|
||||
if ($this->configManager->get('security.session_protection_disabled') === true) {
|
||||
$clientIpAddress = '';
|
||||
}
|
||||
$this->staySignedInToken = sha1(
|
||||
$this->configManager->get('credentials.hash')
|
||||
. $clientIpAddress
|
||||
|
|
|
@ -259,6 +259,20 @@ class LoginManagerTest extends TestCase
|
|||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate a token depending on the user credentials with session protected disabled
|
||||
*/
|
||||
public function testGenerateStaySignedInTokenSessionProtectionDisabled()
|
||||
{
|
||||
$this->configManager->set('security.session_protection_disabled', true);
|
||||
$this->loginManager->generateStaySignedInToken($this->clientIpAddress);
|
||||
|
||||
$this->assertEquals(
|
||||
sha1($this->passwordHash . $this->salt),
|
||||
$this->loginManager->getStaySignedInToken()
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check user login - Shaarli has not yet been configured
|
||||
*/
|
||||
|
|
Loading…
Reference in a new issue