Improved token security
...by adding salt. These token are used in form which act on data to prevent CSRF attacks. This closes issue https://github.com/sebsauvage/Shaarli/issues/24
This commit is contained in:
parent
9e8209064d
commit
a1f5a6ec17
1 changed files with 1 additions and 1 deletions
|
@ -576,7 +576,7 @@ if (!isset($_SESSION['tokens'])) $_SESSION['tokens']=array(); // Token are atta
|
|||
// Returns a token.
|
||||
function getToken()
|
||||
{
|
||||
$rnd = sha1(uniqid('',true).'_'.mt_rand()); // We generate a random string.
|
||||
$rnd = sha1(uniqid('',true).'_'.mt_rand().$GLOBALS['salt']); // We generate a random string.
|
||||
$_SESSION['tokens'][$rnd]=1; // Store it on the server side.
|
||||
return $rnd;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue