Do not check the IP address with session protection disabled
This allows the user to stay logged in if his IP changes. Fixes #1106
This commit is contained in:
ArthurHoaro
parent
5d32c50ad7
commit
d9ba1cdd44
2 changed files with 17 additions and 0 deletions
|
|
@ -58,6 +58,9 @@ public function __construct(& $globals, $configManager, $sessionManager)
|
||||||
*/
|
*/
|
||||||
public function generateStaySignedInToken($clientIpAddress)
|
public function generateStaySignedInToken($clientIpAddress)
|
||||||
{
|
{
|
||||||
|
if ($this->configManager->get('security.session_protection_disabled') === true) {
|
||||||
|
$clientIpAddress = '';
|
||||||
|
}
|
||||||
$this->staySignedInToken = sha1(
|
$this->staySignedInToken = sha1(
|
||||||
$this->configManager->get('credentials.hash')
|
$this->configManager->get('credentials.hash')
|
||||||
. $clientIpAddress
|
. $clientIpAddress
|
||||||
|
|
|
||||||
|
|
@ -259,6 +259,20 @@ public function testGenerateStaySignedInToken()
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Generate a token depending on the user credentials with session protected disabled
|
||||||
|
*/
|
||||||
|
public function testGenerateStaySignedInTokenSessionProtectionDisabled()
|
||||||
|
{
|
||||||
|
$this->configManager->set('security.session_protection_disabled', true);
|
||||||
|
$this->loginManager->generateStaySignedInToken($this->clientIpAddress);
|
||||||
|
|
||||||
|
$this->assertEquals(
|
||||||
|
sha1($this->passwordHash . $this->salt),
|
||||||
|
$this->loginManager->getStaySignedInToken()
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Check user login - Shaarli has not yet been configured
|
* Check user login - Shaarli has not yet been configured
|
||||||
*/
|
*/
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue