diff options
| author | marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2008-09-01 09:13:16 +0000 |
|---|---|---|
| committer | marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2008-09-01 09:13:16 +0000 |
| commit | 25be923e821438abe161cf6fac734cd60dabecfa (patch) | |
| tree | 661245d0690bc4b53c038c7c2c3aeef4566b5655 | |
| parent | 676e87ccfae0d8a951b10145b41e13d2c5ccfe02 (diff) | |
| download | elgg-25be923e821438abe161cf6fac734cd60dabecfa.tar.gz elgg-25be923e821438abe161cf6fac734cd60dabecfa.tar.bz2 | |
Additional per-session random token, additional randomness protection against CSRF. Report problems.
git-svn-id: https://code.elgg.org/elgg/trunk@2048 36083f99-b078-4883-b0ff-0f9b5a30f544
| -rw-r--r-- | engine/lib/actions.php | 5 | ||||
| -rw-r--r-- | engine/lib/sessions.php | 3 |
2 files changed, 7 insertions, 1 deletions
diff --git a/engine/lib/actions.php b/engine/lib/actions.php index 76913f2b4..a78072f31 100644 --- a/engine/lib/actions.php +++ b/engine/lib/actions.php @@ -177,8 +177,11 @@ // Get user agent $ua = $_SERVER['HTTP_USER_AGENT']; + // Session token + $st = $_SESSION['__elgg_session']; + if (($site_secret) && ($session_id)) - return md5($site_secret.$timestamp.$session_id.$ua); + return md5($site_secret.$timestamp.$session_id.$ua.$st); return false; } diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php index 0a35fec1a..3dd9ac9e1 100644 --- a/engine/lib/sessions.php +++ b/engine/lib/sessions.php @@ -204,6 +204,9 @@ { $_SESSION['__elgg_fingerprint'] = get_session_fingerprint(); } + + // Generate a simple token + if (!isset($_SESSION['__elgg_session'])) $_SESSION['__elgg_session'] = md5(microtime().rand()); if (empty($_SESSION['guid'])) {
if (isset($_COOKIE['elggperm'])) {
|