Commit 366dfa60 authored by moodler's avatar moodler
Browse files

New config variable $CFG->tracksessionip will force Moodle to always

check that the user's IP number never changes
parent 3f58d600
......@@ -188,6 +188,13 @@ $CFG->defaultblocks = 'participants,activity_modules,search_forums,admin,course_
// then all addresses are ALLOWED EXCEPT those listed.
// $CFG->allowemailaddresses = "myschool.edu.au hotmail.com";
// $CFG->denyemailaddresses = "hotmail.com yahoo.com";
//
// If this setting is set to true, then Moodle will track the IP of the
// current user to make sure it hasn't changed during a session. This
// will prevent the possibility of sessions being hijacked via XSS, but it
// may break things for users coming using proxies that change all the time,
// like AOL.
// $CFG->tracksessionip = true;
//=========================================================================
// ALL DONE! To continue installation, visit your main page with a browser
......
......@@ -12,6 +12,7 @@ $string['missingfield'] = 'Field \"$a\" is missing';
$string['modulerequirementsnotmet'] = 'Module \"$a->modulename\" ($a->moduleversion) could not be installed. It requires a newer version of Moodle (currently you are using $a->currentmoodle, you need $a->requiremoodle).';
$string['notavailable'] = 'That is not currently available';
$string['restricteduser'] = 'Sorry, but your current account \"$a\" is restricted from doing that.';
$string['sessionipnomatch'] = 'Sorry, but your IP number seems to have changed from when you first logged in. This security feature prevents crackers stealing your identity while logged in to this site. Normal users should not be seeing this message - please ask the site administrator for help.';
$string['unknowncourse'] = 'Unknown course named \"$a\"';
$string['usernotaddederror'] = 'User \"$a\" not added - unknown error';
$string['usernotaddedregistered'] = 'User \"$a\" not added - already registered';
......
......@@ -588,6 +588,13 @@ function require_login($courseid=0, $autologinguest=true) {
die;
}
// Make sure current IP matches the one for this session (if required)
if (!empty($CFG->tracksessionip)) {
if ($USER->sessionIP != md5(getremoteaddr())) {
error(get_string('sessionipnomatch', 'error'));
}
}
// Next, check if the user can be in a particular course
if ($courseid) {
if ($courseid == SITEID) {
......@@ -1076,7 +1083,6 @@ function get_user_fieldnames() {
* Creates a bare-bones user record
*
* @uses $CFG
* @uses $REMOTE_ADDR
* @param string $username New user's username to add to record
* @param string $password New user's password to add to record
* @param string $auth Form of authentication required
......@@ -1084,7 +1090,7 @@ function get_user_fieldnames() {
* @todo Outline auth types and provide code example
*/
function create_user_record($username, $password, $auth='') {
global $REMOTE_ADDR, $CFG;
global $CFG;
//just in case check text case
$username = trim(moodle_strtolower($username));
......@@ -1160,6 +1166,7 @@ function guest_user() {
$newuser->confirmed = 1;
$newuser->site = $CFG->wwwroot;
$newuser->lang = $CFG->lang;
$newuser->lastIP = getremoteaddr();
}
return $newuser;
......@@ -1226,8 +1233,7 @@ function authenticate_user_login($username, $password) {
if ($md5password <> $user->password) { // Update local copy of password for reference
set_field('user', 'password', $md5password, 'username', $username);
}
// update user record from external DB
if ($user->auth != 'manual' && $user->auth != 'email'){
if (!is_internal_auth()) { // update user record from external DB
$user = update_user_record($username);
}
} else {
......@@ -1243,13 +1249,14 @@ function authenticate_user_login($username, $password) {
}
}
} else {
if ( record_exists('user_coursecreators', 'userid', $user->id)) {
if (record_exists('user_coursecreators', 'userid', $user->id)) {
if (! delete_records('user_coursecreators', 'userid', $user->id)) {
error('Cannot remove user from course creators.');
}
}
}
}
$user->sessionIP = md5(getremoteaddr()); // Store the current IP in the session
return $user;
} else {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment