Merge branch '2.5.x' into saas

Conflicts:
	airtime_mvc/application/Bootstrap.php
	airtime_mvc/application/models/Auth.php

airtime_mvc/application/Bootstrap.php

@@ -14,6 +14,7 @@ require_once "DateHelper.php";
 require_once "OsPath.php";
 require_once "Database.php";
 require_once "Timezone.php";
+require_once "models/Auth.php";
 require_once __DIR__.'/forms/helpers/ValidationTypes.php';
 require_once __DIR__.'/controllers/plugins/RabbitMqPlugin.php';
 require_once __DIR__.'/controllers/plugins/Maintenance.php';
@@ -26,6 +27,8 @@ require_once __DIR__."/configs/navigation.php";
 
 Zend_Validate::setDefaultNamespaces("Zend");
 
+Application_Model_Auth::pinSessionToClient(Zend_Auth::getInstance());
+
 $front = Zend_Controller_Front::getInstance();
 $front->registerPlugin(new RabbitMqPlugin());
 

airtime_mvc/application/controllers/LoginController.php

@@ -15,7 +15,6 @@ class LoginController extends Zend_Controller_Action
         
         Application_Model_Locale::configureLocalization($request->getcookie('airtime_locale', 'en_CA'));
         $auth = Zend_Auth::getInstance();
-        Application_Model_Auth::pinSessionToClient($auth);
         
         if ($auth->hasIdentity())
         {
@@ -96,7 +95,6 @@ class LoginController extends Zend_Controller_Action
     public function logoutAction()
     {
         $auth = Zend_Auth::getInstance();
-        Application_Model_Auth::pinSessionToClient($auth);
         $auth->clearIdentity();
         $this->_redirect('showbuilder/index');
     }
@@ -189,7 +187,6 @@ class LoginController extends Zend_Controller_Action
             $auth->invalidateTokens($user, 'password.restore');
 
             $zend_auth = Zend_Auth::getInstance();
-            Application_Model_Auth::pinSessionToClient($zend_auth);
             $zend_auth->clearIdentity();
 
             $authAdapter = Application_Model_Auth::getAuthAdapter();

airtime_mvc/application/models/Auth.php

@@ -112,11 +112,14 @@ class Application_Model_Auth
     }
     
     /** It is essential to do this before interacting with Zend_Auth otherwise sessions could be shared between
-     *  different copies of Airtime on the same webserver. This essentially pins this session to this hostname and client ID.
+     *  different copies of Airtime on the same webserver. This essentially pins this session to:
+     *   - The server hostname - including subdomain so we segment multiple Airtime installs on different subdomains
+     *   - The remote IP of the browser - to help prevent session hijacking
+     *   - The client ID - same reason as server hostname
      * @param Zend_Auth $auth Get this with Zend_Auth::getInstance().
      */
     public static function pinSessionToClient($auth)
     {
-        //$auth->setStorage(new Zend_Auth_Storage_Session('Airtime' . $_SERVER['SERVER_NAME'] . Application_Model_Preference::GetClientId()));
+        $auth->setStorage(new Zend_Auth_Storage_Session('Airtime' . $_SERVER['SERVER_NAME'] . $_SERVER['REMOTE_ADDR'] . Application_Model_Preference::GetClientId()));
     }
 }