-
Notifications
You must be signed in to change notification settings - Fork 84
Commit
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -204,7 +204,11 @@ function __construct(\DB\SQL $db,$table='sessions',$force=TRUE,$onsuspect=NULL,$ | |
register_shutdown_function('session_commit'); | ||
$fw=\Base::instance(); | ||
$headers=$fw->HEADERS; | ||
$this->_csrf=$fw->SEED.'.'.$fw->hash(mt_rand()); | ||
$this->_csrf=$fw->SEED.'.'.$fw->hash( | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
KOTRET
Contributor
|
||
extension_loaded('openssl')? | ||
array_pop(unpack('L',openssl_random_pseudo_bytes(4))): | ||
mt_rand() | ||
); | ||
if ($key) | ||
$fw->$key=$this->_csrf; | ||
$this->_agent=isset($headers['User-Agent'])?$headers['User-Agent']:''; | ||
|
I know that the system variable
SEED
is only used as prefix for cache entries and temporary files (according to New framework variable: SEED) but I don't like the fact that this secret is shared with the world as CSRF token.A user shouldn't know If a common cache and temp file storage is shared across multiple domains
One could try to use the
SEED
as seed for a random function and the CSRF token would make the pseudo random values predictablePlease correct me if I'm wrong. @bcosca @ikkez