From 8071beaa75257a6e763bf8b2d6dd586fe0935d6b Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sat, 15 Oct 2011 20:53:56 +0200
Subject: bind security token to username

This makes the security token more robust agains session fixation
attacks. A CSRF warning will no longer abort a page save but lead to the
preview mode to avoid information loss when a user logs in during
editing (eg in another tab).
---
 inc/common.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'inc/common.php')

diff --git a/inc/common.php b/inc/common.php
index 39af439f8..0c769c50d 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -56,7 +56,7 @@ function stripctl($string){
  * @return  string
  */
 function getSecurityToken(){
-    return md5(auth_cookiesalt().session_id());
+    return md5(auth_cookiesalt().session_id().$_SERVER['REMOTE_USER']);
 }
 
 /**
-- 
cgit v1.2.3