diff --git a/app/main/controller/controller.php b/app/main/controller/controller.php index 3c7e0e0d..3e046e09 100644 --- a/app/main/controller/controller.php +++ b/app/main/controller/controller.php @@ -18,6 +18,7 @@ class Controller { const COOKIE_NAME_STATE = 'cookie'; const COOKIE_PREFIX_CHARACTER = 'char'; + const ERROR_SESSION_SUSPECT = 'Suspect id: [%30s], ip: [%40s], new ip: [%40s], User-Agent: %s '; /** * @var \Base */ @@ -113,9 +114,33 @@ class Controller { * init new Session handler */ protected function initSession(){ + // init DB based Session (not file based) if( $this->getDB('PF') instanceof DB\SQL){ - new DB\SQL\Session($this->getDB('PF')); + // init session with custom "onsuspect()" handler + new DB\SQL\Session($this->getDB('PF'), 'sessions', true, function($session, $sid){ + $f3 = $this->getF3(); + if( ($ip = $session->ip() )!= $f3->get('IP') ){ + // IP address changed -> not critical + $this->getLogger( + $f3->get('PATHFINDER.LOGFILES.SESSION_SUSPECT') + )->write( sprintf( + self::ERROR_SESSION_SUSPECT, + $sid, + $session->ip(), + $f3->get('IP'), + $f3->get('AGENT') + )); + + // no more error handling here + return true; + }elseif($session->agent() != $f3->get('AGENT') ){ + // The default behaviour destroys the suspicious session. + return false; + } + + return true; + }); } } diff --git a/app/pathfinder.ini b/app/pathfinder.ini index 4c5d3846..9a5eadfe 100644 --- a/app/pathfinder.ini +++ b/app/pathfinder.ini @@ -103,10 +103,12 @@ CONSTELLATION_SYSTEMS = 2592000 [PATHFINDER.LOGFILES] ; just for manuel debug during development DEBUG = debug -; user login information +; login information LOGIN = login +; session warnings (suspect) +SESSION_SUSPECT = session_suspect ; account deleted -DELETE_ACCOUNT = delete_account +DELETE_ACCOUNT = account_delete ; API ============================================================================================= [PATHFINDER.API]