diff options
author | Sébastien SAUVAGE <sebsauvage@sebsauvage.net> | 2013-02-28 09:19:00 +0100 |
---|---|---|
committer | Sébastien SAUVAGE <sebsauvage@sebsauvage.net> | 2013-02-28 09:19:00 +0100 |
commit | a1f5a6ec17896a7f3042ebfd8aae8c09d41f912d (patch) | |
tree | 8173ed778c57cec8ec980473604d05e9ce2bebc3 /index.php | |
parent | 9e8209064db1e06b99b98ff3309d368d110b22b3 (diff) | |
download | Shaarli-a1f5a6ec17896a7f3042ebfd8aae8c09d41f912d.tar.gz Shaarli-a1f5a6ec17896a7f3042ebfd8aae8c09d41f912d.tar.zst Shaarli-a1f5a6ec17896a7f3042ebfd8aae8c09d41f912d.zip |
Improved token security
...by adding salt. These token are used in form which act on data to
prevent CSRF attacks.
This closes issue https://github.com/sebsauvage/Shaarli/issues/24
Diffstat (limited to 'index.php')
-rw-r--r-- | index.php | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -576,7 +576,7 @@ if (!isset($_SESSION['tokens'])) $_SESSION['tokens']=array(); // Token are atta | |||
576 | // Returns a token. | 576 | // Returns a token. |
577 | function getToken() | 577 | function getToken() |
578 | { | 578 | { |
579 | $rnd = sha1(uniqid('',true).'_'.mt_rand()); // We generate a random string. | 579 | $rnd = sha1(uniqid('',true).'_'.mt_rand().$GLOBALS['salt']); // We generate a random string. |
580 | $_SESSION['tokens'][$rnd]=1; // Store it on the server side. | 580 | $_SESSION['tokens'][$rnd]=1; // Store it on the server side. |
581 | return $rnd; | 581 | return $rnd; |
582 | } | 582 | } |