diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2011-10-15 20:53:56 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2011-10-15 20:53:56 +0200 |
| commit | 8071beaa75257a6e763bf8b2d6dd586fe0935d6b (patch) | |
| tree | da3f0e39505011a4efdba01224c495987ffe3c01 /inc | |
| parent | f20ead66bf5f9c5e4f7deef3cc2af9954973cc16 (diff) | |
| download | rpg-8071beaa75257a6e763bf8b2d6dd586fe0935d6b.tar.gz rpg-8071beaa75257a6e763bf8b2d6dd586fe0935d6b.tar.bz2 | |
bind security token to username
This makes the security token more robust agains session fixation
attacks. A CSRF warning will no longer abort a page save but lead to the
preview mode to avoid information loss when a user logs in during
editing (eg in another tab).
Diffstat (limited to 'inc')
| -rw-r--r-- | inc/actions.php | 2 | ||||
| -rw-r--r-- | inc/common.php | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/inc/actions.php b/inc/actions.php index 1a0ae4028..ddfafc554 100644 --- a/inc/actions.php +++ b/inc/actions.php @@ -101,7 +101,7 @@ function act_dispatch(){ if(checkSecurityToken()){ $ACT = act_save($ACT); }else{ - $ACT = 'show'; + $ACT = 'preview'; } } diff --git a/inc/common.php b/inc/common.php index 39af439f8..0c769c50d 100644 --- a/inc/common.php +++ b/inc/common.php @@ -56,7 +56,7 @@ function stripctl($string){ * @return string */ function getSecurityToken(){ - return md5(auth_cookiesalt().session_id()); + return md5(auth_cookiesalt().session_id().$_SERVER['REMOTE_USER']); } /** |