From fe06416f1787d27e90ad75f7c33eadd412574346 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Fri, 5 Mar 2021 12:27:23 +0300
Subject: [PATCH] sessions: stop validating against hash of user agent because
 chromium is sending different agent headers for whatever reason, example:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/88.0.4324.192 Safari/537.36

Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/88.0.4324.104 Safari/537.36

seems to be related, at least, to App.postOpenWindow() hack.
---
 classes/userhelper.php |  1 -
 include/sessions.php   | 21 ++-------------------
 2 files changed, 2 insertions(+), 20 deletions(-)

diff --git a/classes/userhelper.php b/classes/userhelper.php
index d929583f7..2bb83a02a 100644
--- a/classes/userhelper.php
+++ b/classes/userhelper.php
@@ -48,7 +48,6 @@ class UserHelper {
 					$_SESSION["access_level"] = $user->access_level;
 					$_SESSION["csrf_token"] = bin2hex(get_random_bytes(16));
 					$_SESSION["ip_address"] = UserHelper::get_user_ip();
-					$_SESSION["user_agent"] = sha1($_SERVER['HTTP_USER_AGENT']);
 					$_SESSION["pwd_hash"] = $user->pwd_hash;
 
 					$user->last_login = Db::NOW();
diff --git a/include/sessions.php b/include/sessions.php
index cda42f52b..9044c609b 100644
--- a/include/sessions.php
+++ b/include/sessions.php
@@ -22,35 +22,18 @@
 	function validate_session() {
 		if (\Config::get(\Config::SINGLE_USER_MODE)) return true;
 
-		/* if (isset($_SESSION["ref_schema_version"]) && $_SESSION["ref_schema_version"] != \Config::get_schema_version()) {
-			$_SESSION["login_error_msg"] =
-				__("Session failed to validate (schema version changed)");
-			return false;
-		} */
-
 		$pdo = \Db::pdo();
 
 		if (!empty($_SESSION["uid"])) {
-
-			if ($_SESSION["user_agent"] != sha1($_SERVER['HTTP_USER_AGENT'])) {
-				$_SESSION["login_error_msg"] = __("Session failed to validate (UA changed).");
-				return false;
-			}
-
 			$user = \ORM::for_table('ttrss_users')->find_one($_SESSION["uid"]);
 
 			if ($user) {
 				if ($user->pwd_hash != $_SESSION["pwd_hash"]) {
-
-					$_SESSION["login_error_msg"] =
-						__("Session failed to validate (password changed)");
-
+					$_SESSION["login_error_msg"] = __("Session failed to validate (password changed)");
 					return false;
 				}
 			} else {
-				$_SESSION["login_error_msg"] =
-					__("Session failed to validate (user not found)");
-
+				$_SESSION["login_error_msg"] = __("Session failed to validate (user not found)");
 				return false;
 			}
 		}
-- 
GitLab