Index: lang/strings_english.txt
===================================================================
--- lang/strings_english.txt	(revision 5688)
+++ lang/strings_english.txt	(revision 5719)
@@ -298,9 +298,11 @@
 $MANTIS_ERROR[ERROR_TAG_ALREADY_ATTACHED] = 'That tag already attached to that bug.';
 $MANTIS_ERROR[ERROR_TOKEN_NOT_FOUND] = 'Token could not be found.';
 $MANTIS_ERROR[ERROR_SESSION_HANDLER_INVALID] = 'Invalid session handler.';
-$MANTIS_ERROR[ERROR_SESSION_VAR_NOT_FOUND] = 'Session variable \'%s\' not found.';
+$MANTIS_ERROR[ERROR_SESSION_VAR_NOT_FOUND] = 'Session variable "%s" not found.';
+$MANTIS_ERROR[ERROR_SESSION_NOT_VALID] = 'Your session has become invalidated.';
 $MANTIS_ERROR[ERROR_FORM_TOKEN_INVALID] = 'Invalid form security token.  Did you submit the form twice by accident?';
 $MANTIS_ERROR[ERROR_INVALID_REQUEST_METHOD] = 'This page cannot be accessed using this method.';
+$MANTIS_ERROR[ERROR_INVALID_SORT_FIELD] = 'Invalid sort field.';
 
 $s_login_error = 'Your account may be disabled or blocked or the username/password you entered is incorrect.';
 $s_login_cookies_disabled = 'Your browser either doesn\'t know how to handle cookies, or refuses to handle them.';
Index: account_page.php
===================================================================
--- account_page.php	(revision 5688)
+++ account_page.php	(revision 5719)
@@ -94,6 +94,9 @@
 <div align="center">
 <form method="post" action="account_update.php">
 <?php  echo form_security_field( 'account_update' )?>
+<?php if ( isset( $g_session_pass_id ) ) { ?>
+<input type="hidden" name="session_id" value="<?php echo session_id() ?>"/>
+<?php } ?>
 <table class="width75" cellspacing="1">
 
 	<!-- Headings -->
Index: core/utility_api.php
===================================================================
--- core/utility_api.php	(revision 5688)
+++ core/utility_api.php	(revision 5719)
@@ -192,10 +192,20 @@
 			$t_factor = 1;
 		}
 
+		if( empty( $p_array ) ) {
+			return $p_array;
+		}
+		if( !is_array( current($p_array ) ) ) {
+			error_parameters( 'tried to multisort an invalid multi-dimensional array' );
+			trigger_error(ERROR_GENERIC, ERROR);
+		}
+
 		// Security measure: see http://www.mantisbt.org/bugs/view.php?id=9704 for details
-		if ( array_key_exists( $p_key, $p_array ) ) {
-			$t_function = create_function( '$a, $b', "return $t_factor * strnatcasecmp( \$a['$p_key'], \$b['$p_key'] );" );
+		if( array_key_exists( $p_key, current($p_array) ) ) {
+			$t_function = create_function( '$a, $b', "return $t_factor * strnatcasecmp( \$a['" . $p_key . "'], \$b['" . $p_key . "'] );" );
 			uasort( $p_array, $t_function );
+		} else {
+			trigger_error(ERROR_INVALID_SORT_FIELD, ERROR);
 		}
 		return $p_array;
 	}
Index: core/session_api.php
===================================================================
--- core/session_api.php	(revision 5688)
+++ core/session_api.php	(revision 5719)
@@ -48,7 +48,7 @@
  * to PHP's session.* settings in 'php.ini'.
  */
 class MantisPHPSession extends MantisSession {
-	function __construct() {
+	function __construct( $p_session_id=null ) {
 		$t_session_save_path = config_get_global( 'session_save_path' );
 		if ( $t_session_save_path ) {
 			session_save_path( $t_session_save_path );
@@ -60,6 +60,11 @@
 		} else {
 			session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), false );
 		}
+
+		if ( !is_null( $p_session_id ) ) {
+			session_id( $p_session_id );
+		}
+
 		session_start();
 		$this->id = session_id();
 	}
@@ -102,13 +107,14 @@
 
 /**
  * Initialize the appropriate session handler.
+ * @param string Session ID
  */
-function session_init() {
+function session_init( $p_session_id=null ) {
 	global $g_session, $g_session_handler;
 
 	switch( strtolower( $g_session_handler ) ) {
 		case 'php':
-			$g_session = new MantisPHPSession();
+			$g_session = new MantisPHPSession( $p_session_id );
 			break;
 
 		case 'adodb':
@@ -119,9 +125,42 @@
 			trigger_error( ERROR_SESSION_HANDLER_INVALID, ERROR );
 			break;
 	}
+
+	session_validate( $g_session );
 }
 
 /**
+ * Validate the legitimacy of a session.
+ * Checks may include last-known IP address, or more.
+ * Triggers an error when the session is invalid.
+ * @param object Session object
+ */
+function session_validate( $p_session ) {
+	$t_user_ip = '';
+	if ( isset( $_SERVER['REMOTE_ADDR'] ) ) {
+		$t_user_ip = trim( $_SERVER['REMOTE_ADDR'] );
+	}
+
+	if ( is_null( $t_last_ip = $p_session->get( 'last_ip', null ) ) ) {
+		# First session usage
+		$p_session->set( 'last_ip', $t_user_ip );
+
+	} else {
+		# Check a continued session request
+		if ( $t_user_ip != $t_last_ip ) {
+			session_clean();
+
+			trigger_error( ERROR_SESSION_NOT_VALID, WARNING );
+
+			$t_url = config_get_global( 'path' ) . config_get_global( 'default_home_page' );
+			echo "\t<meta http-equiv=\"Refresh\" content=\"4;URL=$t_url\" />\n";
+
+			die();
+		}
+	}
+}
+
+/**
  * Get arbitrary data from the session.
  * @param string Session variable name
  * @param mixed Default value
@@ -190,4 +229,11 @@
 
 
 ##### Initialize the session
-session_init();
+$t_session_id = gpc_get_string( 'session_id', '' );
+
+if ( empty( $t_session_id ) ) {
+	session_init();
+} else {
+	session_init( $t_session_id );
+}
+
Index: core/constant_inc.php
===================================================================
--- core/constant_inc.php	(revision 5688)
+++ core/constant_inc.php	(revision 5719)
@@ -195,6 +195,7 @@
 	define( 'ERROR_HANDLER_ACCESS_TOO_LOW',				17 );
 	define( 'ERROR_PAGE_REDIRECTION',				18 );
 	define( 'ERROR_INVALID_REQUEST_METHOD',		    19 );
+	define( 'ERROR_INVALID_SORT_FIELD',				20 );
 
 	# ERROR_CONFIG_*
 	define( 'ERROR_CONFIG_OPT_NOT_FOUND',			100 );
@@ -326,6 +327,7 @@
 	# ERROR_SESSION_*
 	define ( 'ERROR_SESSION_HANDLER_INVALID', 2700);
 	define ( 'ERROR_SESSION_VAR_NOT_FOUND',   2701);
+	define ( 'ERROR_SESSION_NOT_VALID',	      2702);
 
 	# ERROR_FORM_*
 	define ( 'ERROR_FORM_TOKEN_INVALID',	2800 );
@@ -422,4 +424,3 @@
 	define( 'SPONSORSHIP_REQUESTED',      1 );
 	define( 'SPONSORSHIP_PAID',           2 );
 
-?>
Index: verify.php
===================================================================
--- verify.php	(revision 5688)
+++ verify.php	(revision 5719)
@@ -40,6 +40,11 @@
 	# force logout on the current user if already authenticated
 	if( auth_is_user_authenticated() ) {
 		auth_logout();
+
+		# (Re)initialize session
+		session_regenerate_id();
+		session_init();
+		$g_session_pass_id = ON;
 	}
 
 	$t_calculated_confirm_hash = auth_generate_confirm_hash( $f_user_id );
@@ -49,7 +54,6 @@
 	}
 
 	# set a temporary cookie so the login information is passed between pages.
-	auth_logout();
 	auth_set_cookies( $f_user_id, false );
 
 	user_reset_failed_login_count_to_zero( $f_user_id );
@@ -61,4 +65,4 @@
 	user_increment_failed_login_count( $f_user_id );
 
 	include ( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'account_page.php' );
-?>
+
Index: core.php
===================================================================
--- core.php	(revision 5688)
+++ core.php	(revision 5719)
@@ -145,7 +145,7 @@
 	require_once( $t_core_path.'database_api.php' );
 
 	# Basic browser detection
-	$t_user_agent = $_SERVER['HTTP_USER_AGENT'];
+	$t_user_agent = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : 'none';
 
 	$t_browser_name = 'Normal';
 	if ( strpos( $t_user_agent, 'MSIE' ) ) {