aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorSébastien SAUVAGE <sebsauvage@sebsauvage.net>2013-02-28 09:19:00 +0100
committerSébastien SAUVAGE <sebsauvage@sebsauvage.net>2013-02-28 09:19:00 +0100
commita1f5a6ec17896a7f3042ebfd8aae8c09d41f912d (patch)
tree8173ed778c57cec8ec980473604d05e9ce2bebc3
parent9e8209064db1e06b99b98ff3309d368d110b22b3 (diff)
downloadShaarli-a1f5a6ec17896a7f3042ebfd8aae8c09d41f912d.tar.gz
Shaarli-a1f5a6ec17896a7f3042ebfd8aae8c09d41f912d.tar.zst
Shaarli-a1f5a6ec17896a7f3042ebfd8aae8c09d41f912d.zip
Improved token security
...by adding salt. These token are used in form which act on data to prevent CSRF attacks. This closes issue https://github.com/sebsauvage/Shaarli/issues/24
-rw-r--r--index.php2
1 files changed, 1 insertions, 1 deletions
diff --git a/index.php b/index.php
index 4068272c..0bdb6d83 100644
--- a/index.php
+++ b/index.php
@@ -576,7 +576,7 @@ if (!isset($_SESSION['tokens'])) $_SESSION['tokens']=array(); // Token are atta
576// Returns a token. 576// Returns a token.
577function getToken() 577function getToken()
578{ 578{
579 $rnd = sha1(uniqid('',true).'_'.mt_rand()); // We generate a random string. 579 $rnd = sha1(uniqid('',true).'_'.mt_rand().$GLOBALS['salt']); // We generate a random string.
580 $_SESSION['tokens'][$rnd]=1; // Store it on the server side. 580 $_SESSION['tokens'][$rnd]=1; // Store it on the server side.
581 return $rnd; 581 return $rnd;
582} 582}