Skip to content
Permalink
Browse files

Fix autologin token, form tokens failed cause session was not set

  • Loading branch information...
onli committed Feb 20, 2019
1 parent c737565 commit f9482795830032db9ca052fb8c06c25c94f27e03
Showing with 5 additions and 2 deletions.
  1. +5 −2 include/functions_config.inc.php
@@ -392,8 +392,9 @@ function serendipity_login($use_external = true) {
} elseif (isset($serendipity['COOKIE']['author_username'])) { } elseif (isset($serendipity['COOKIE']['author_username'])) {
$user = $serendipity['COOKIE']['author_username']; $user = $serendipity['COOKIE']['author_username'];
$valid_logintoken = serendipity_checkAutologin($user); $valid_logintoken = serendipity_checkAutologin($user);
if ($valid_logintoken === true) { if ($valid_logintoken === true) {
// if we do not tie down the session gere it will be recreated on every page reload, which will fuck op the form token system. That's why we need to load all data that makes the session stick. That's why we call setAuthorToken here.
serendipity_setAuthorToken();
serendipity_load_userdata($user); serendipity_load_userdata($user);
return true; return true;
} else { } else {
@@ -600,7 +601,7 @@ function serendipity_authenticate_author($username = '', $password = '', $is_has
} }
} }
// This code is only reached, if the password before is valid. // This code is only reached if the password before is valid.
if ($is_valid_user) { if ($is_valid_user) {
if ($debug) fwrite($fp, date('Y-m-d H:i') . ' [sid:' . session_id() . '] - Success.' . "\n"); if ($debug) fwrite($fp, date('Y-m-d H:i') . ' [sid:' . session_id() . '] - Success.' . "\n");
serendipity_setCookie('old_session', session_id(), false); serendipity_setCookie('old_session', session_id(), false);
@@ -2051,11 +2052,13 @@ function serendipity_checkFormToken($output = true) {
if ($output) echo serendipity_reportXSRF('token', false); if ($output) echo serendipity_reportXSRF('token', false);
return false; return false;
} }
if ($token != md5(session_id()) && if ($token != md5(session_id()) &&
$token != md5($serendipity['COOKIE']['old_session'])) { $token != md5($serendipity['COOKIE']['old_session'])) {
if ($output) echo serendipity_reportXSRF('token', false); if ($output) echo serendipity_reportXSRF('token', false);
return false; return false;
} }
return true; return true;
} }

0 comments on commit f948279

Please sign in to comment.
You can’t perform that action at this time.