diff options
author | Andreas Gohr <andi@splitbrain.org> | 2011-10-15 20:53:56 +0200 |
---|---|---|
committer | Andreas Gohr <andi@splitbrain.org> | 2011-10-15 20:53:56 +0200 |
commit | 8071beaa75257a6e763bf8b2d6dd586fe0935d6b (patch) | |
tree | da3f0e39505011a4efdba01224c495987ffe3c01 /inc/common.php | |
parent | f20ead66bf5f9c5e4f7deef3cc2af9954973cc16 (diff) | |
download | rpg-8071beaa75257a6e763bf8b2d6dd586fe0935d6b.tar.gz rpg-8071beaa75257a6e763bf8b2d6dd586fe0935d6b.tar.bz2 |
bind security token to username
This makes the security token more robust agains session fixation
attacks. A CSRF warning will no longer abort a page save but lead to the
preview mode to avoid information loss when a user logs in during
editing (eg in another tab).
Diffstat (limited to 'inc/common.php')
-rw-r--r-- | inc/common.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/inc/common.php b/inc/common.php index 39af439f8..0c769c50d 100644 --- a/inc/common.php +++ b/inc/common.php @@ -56,7 +56,7 @@ function stripctl($string){ * @return string */ function getSecurityToken(){ - return md5(auth_cookiesalt().session_id()); + return md5(auth_cookiesalt().session_id().$_SERVER['REMOTE_USER']); } /** |