diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2011-03-19 19:21:52 +0100 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2011-03-19 19:21:52 +0100 |
| commit | e940aea40842bfcf6db8c09bba3135cb9cb5eef9 (patch) | |
| tree | cbb7aedf4fffa1c07dba031223acf6a959382d9f | |
| parent | 234ce57eac492a1f07414d42c0c406666f3fa887 (diff) | |
| download | rpg-e940aea40842bfcf6db8c09bba3135cb9cb5eef9.tar.gz rpg-e940aea40842bfcf6db8c09bba3135cb9cb5eef9.tar.bz2 | |
bind non-sticky logins to the session id FS#2202
| -rw-r--r-- | inc/auth.php | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/inc/auth.php b/inc/auth.php index 85c8cfd7b..53376be34 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -189,7 +189,9 @@ function auth_login($user,$pass,$sticky=false,$silent=false){ if ($auth->checkPass($user,$pass)){ // make logininfo globally available $_SERVER['REMOTE_USER'] = $user; - auth_setCookie($user,PMA_blowfish_encrypt($pass,auth_cookiesalt()),$sticky); + $secret = auth_cookiesalt(); + if(!$sticky) $secret .= session_id; //bind non-sticky to session + auth_setCookie($user,PMA_blowfish_encrypt($pass,$secret),$sticky); return true; }else{ //invalid credentials - log off @@ -218,7 +220,9 @@ function auth_login($user,$pass,$sticky=false,$silent=false){ return true; } // no we don't trust it yet - recheck pass but silent - $pass = PMA_blowfish_decrypt($pass,auth_cookiesalt()); + $secret = auth_cookiesalt(); + if(!$sticky) $secret .= session_id(); //bind non-sticky to session + $pass = PMA_blowfish_decrypt($pass,$secret); return auth_login($user,$pass,$sticky,true); } } |