From 4fbca80705f06ff3daef0eba20dd35623ad39dc8 Mon Sep 17 00:00:00 2001
From: Uli Schlachter <psychon@znc.in>
Date: Wed, 13 Jul 2011 20:40:55 +0200
Subject: [PATCH] WebMods: Set another cookie if the IP check fails

This means that they will get a new cookie on the next request. This will make
sure that you will be able to use webadmin again if your IP changed (which seems
to happen to quite a number of people).

Signed-off-by: Uli Schlachter <psychon@znc.in>
---
 WebModules.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/WebModules.cpp b/WebModules.cpp
index d30f91e3..572cf0d4 100644
--- a/WebModules.cpp
+++ b/WebModules.cpp
@@ -533,9 +533,16 @@ void CWebSock::OnPageRequest(const CString& sURI) {
 }
 
 CWebSock::EPageReqResult CWebSock::OnPageRequestInternal(const CString& sURI, CString& sPageRet) {
+	// Check that their session really belongs to their IP address. IP-based
+	// authentication is bad, but here it's just an extra layer that makes
+	// stealing cookies harder to pull off.
+	//
+	// When their IP is wrong, we give them an invalid cookie. This makes
+	// sure that they will get a new cookie on their next request.
 	if (CZNC::Get().GetProtectWebSessions() && GetSession()->GetIP() != GetRemoteIP()) {
 		DEBUG("Expected IP: " << GetSession()->GetIP());
 		DEBUG("Remote IP:   " << GetRemoteIP());
+		SendCookie("SessionId", "WRONG_IP_FOR_SESSION");
 		PrintErrorPage(403, "Access denied", "This session does not belong to your IP.");
 		return PAGE_DONE;
 	}