diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2011-03-19 15:32:14 +0100 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2011-03-19 15:32:14 +0100 |
| commit | 234ce57eac492a1f07414d42c0c406666f3fa887 (patch) | |
| tree | d117efcca4d96170a52e9409f9e0f15702885f02 /inc/auth.php | |
| parent | 74efffc3dc025c612dcdfa70f31ad24dccf36682 (diff) | |
| download | rpg-234ce57eac492a1f07414d42c0c406666f3fa887.tar.gz rpg-234ce57eac492a1f07414d42c0c406666f3fa887.tar.bz2 | |
store session pass as hash
This avoids having the blowfish encrypted pass stored together with the
decryption key on the same server.
Diffstat (limited to 'inc/auth.php')
| -rw-r--r-- | inc/auth.php | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/inc/auth.php b/inc/auth.php index 164ad3df9..85c8cfd7b 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -209,8 +209,9 @@ function auth_login($user,$pass,$sticky=false,$silent=false){ $auth->useSessionCache($user) && ($session['time'] >= time()-$conf['auth_security_timeout']) && ($session['user'] == $user) && - ($session['pass'] == $pass) && //still crypted + ($session['pass'] == sha1($pass)) && //still crypted ($session['buid'] == auth_browseruid()) ){ + // he has session, cookie and browser right - let him in $_SERVER['REMOTE_USER'] = $user; $USERINFO = $session['info']; //FIXME move all references to session @@ -979,7 +980,7 @@ function auth_setCookie($user,$pass,$sticky) { } // set session $_SESSION[DOKU_COOKIE]['auth']['user'] = $user; - $_SESSION[DOKU_COOKIE]['auth']['pass'] = $pass; + $_SESSION[DOKU_COOKIE]['auth']['pass'] = sha1($pass); $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid(); $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO; $_SESSION[DOKU_COOKIE]['auth']['time'] = time(); |