Overview
Comment: | Form: don't use session_id as it can change between calls |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA1: |
2ebe5447917d5b915baffa17b38f968d |
User & Date: | bohwaz on 2023-05-11 09:12:36 |
Other Links: | manifest | tags |
Context
2023-05-11
| ||
09:21 | Form: add a user-specific cookie for CSRF check-in: 100de0f995 user: bohwaz tags: trunk | |
09:12 | Form: don't use session_id as it can change between calls check-in: 2ebe544791 user: bohwaz tags: trunk | |
09:03 | AbstractEntity: Fix typo check-in: eb5d6ed18f user: bohwaz tags: trunk | |
Changes
Modified src/lib/KD2/Form.php from [f5d454fc17] to [ccaf0ac9c9].
︙ | ︙ | |||
70 71 72 73 74 75 76 | $action = self::tokenAction($action); $random = random_int(0, PHP_INT_MAX); $expire = floor(time() / 3600) + $expire; $value = $expire . $random . $action; | | | 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 | $action = self::tokenAction($action); $random = random_int(0, PHP_INT_MAX); $expire = floor(time() / 3600) + $expire; $value = $expire . $random . $action; $hash = hash_hmac('sha256', $expire . $random . $action, self::$token_secret); return $hash . '/' . dechex($expire) . '/' . dechex($random); } /** * Checks a CSRF token * @param string $action An action description, if NULL then REQUEST_URI will be used |
︙ | ︙ | |||
114 115 116 117 118 119 120 | // Expired token if ($expire < ceil(time() / 3600)) { return false; } | | | | 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 | // Expired token if ($expire < ceil(time() / 3600)) { return false; } $hash = hash_hmac('sha256', $expire . $random . $action, self::$token_secret); return hash_equals($hash, $user_hash); } /** * Generates a random field name for the current token action * @param string $action An action description, if NULL then REQUEST_URI will be used * @return string */ static public function tokenFieldName($action = null) { $action = self::tokenAction($action); return 'ct_' . sha1($action . $_SERVER['DOCUMENT_ROOT'] . $_SERVER['SERVER_NAME']); } /** * Returns the supplied action name or if it is NULL, then the REQUEST_URI * @param string $action * @return string */ |
︙ | ︙ |