aboutsummaryrefslogtreecommitdiff
path: root/engine
diff options
context:
space:
mode:
authormarcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544>2008-09-01 09:13:16 +0000
committermarcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544>2008-09-01 09:13:16 +0000
commit25be923e821438abe161cf6fac734cd60dabecfa (patch)
tree661245d0690bc4b53c038c7c2c3aeef4566b5655 /engine
parent676e87ccfae0d8a951b10145b41e13d2c5ccfe02 (diff)
downloadelgg-25be923e821438abe161cf6fac734cd60dabecfa.tar.gz
elgg-25be923e821438abe161cf6fac734cd60dabecfa.tar.bz2
Additional per-session random token, additional randomness protection against CSRF. Report problems.
git-svn-id: https://code.elgg.org/elgg/trunk@2048 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'engine')
-rw-r--r--engine/lib/actions.php5
-rw-r--r--engine/lib/sessions.php3
2 files changed, 7 insertions, 1 deletions
diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index 76913f2b4..a78072f31 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -177,8 +177,11 @@
// Get user agent
$ua = $_SERVER['HTTP_USER_AGENT'];
+ // Session token
+ $st = $_SESSION['__elgg_session'];
+
if (($site_secret) && ($session_id))
- return md5($site_secret.$timestamp.$session_id.$ua);
+ return md5($site_secret.$timestamp.$session_id.$ua.$st);
return false;
}
diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php
index 0a35fec1a..3dd9ac9e1 100644
--- a/engine/lib/sessions.php
+++ b/engine/lib/sessions.php
@@ -204,6 +204,9 @@
{
$_SESSION['__elgg_fingerprint'] = get_session_fingerprint();
}
+
+ // Generate a simple token
+ if (!isset($_SESSION['__elgg_session'])) $_SESSION['__elgg_session'] = md5(microtime().rand());
if (empty($_SESSION['guid'])) {
if (isset($_COOKIE['elggperm'])) {