Improved token security

...by adding salt. These token are used in form which act on data to
prevent CSRF attacks.
This closes issue https://github.com/sebsauvage/Shaarli/issues/24
This commit is contained in:
Sébastien SAUVAGE 2013-02-28 09:19:00 +01:00
parent 9e8209064d
commit a1f5a6ec17

View file

@ -576,7 +576,7 @@ if (!isset($_SESSION['tokens'])) $_SESSION['tokens']=array(); // Token are atta
// Returns a token.
function getToken()
{
$rnd = sha1(uniqid('',true).'_'.mt_rand()); // We generate a random string.
$rnd = sha1(uniqid('',true).'_'.mt_rand().$GLOBALS['salt']); // We generate a random string.
$_SESSION['tokens'][$rnd]=1; // Store it on the server side.
return $rnd;
}