Improved token security

...by adding salt. These token are used in form which act on data to
prevent CSRF attacks.
This closes issue https://github.com/sebsauvage/Shaarli/issues/24
This commit is contained in:
Sébastien SAUVAGE 2013-02-28 09:19:00 +01:00
parent 9e8209064d
commit a1f5a6ec17

View file

@ -576,7 +576,7 @@ function html_extract_title($html)
// Returns a token. // Returns a token.
function getToken() function getToken()
{ {
$rnd = sha1(uniqid('',true).'_'.mt_rand()); // We generate a random string. $rnd = sha1(uniqid('',true).'_'.mt_rand().$GLOBALS['salt']); // We generate a random string.
$_SESSION['tokens'][$rnd]=1; // Store it on the server side. $_SESSION['tokens'][$rnd]=1; // Store it on the server side.
return $rnd; return $rnd;
} }