Permalink
Browse files

BUGFIX Using RandomGenerator class in Member->logIn(), Member->autoLo…

…gin() and Member->generateAutologinHash() for better randomization of tokens. Increased VARCHAR length of 'RememberLoginToken' and 'AutoLoginHash' fields to 1024 characters to support longer token strings.

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@114504 467b73ca-7a2a-4603-9d3b-597d59a354a9
  • Loading branch information...
1 parent 1dddd52 commit a0a88af25571f4d2dd61b55b1d87e57734b86451 @chillu chillu committed Dec 5, 2010
Showing with 9 additions and 9 deletions.
  1. +9 −9 security/Member.php
View
@@ -11,11 +11,11 @@ class Member extends DataObject {
'Surname' => 'Varchar',
'Email' => 'Varchar',
'Password' => 'Varchar(160)',
- 'RememberLoginToken' => 'Varchar(50)',
+ 'RememberLoginToken' => 'Varchar(1024)',
'NumVisit' => 'Int',
'LastVisited' => 'SS_Datetime',
'Bounced' => 'Boolean', // Note: This does not seem to be used anywhere.
- 'AutoLoginHash' => 'Varchar(30)',
+ 'AutoLoginHash' => 'Varchar(1024)',
'AutoLoginExpired' => 'SS_Datetime',
// This is an arbitrary code pointing to a PasswordEncryptor instance,
// not an actual encryption algorithm.
@@ -327,8 +327,8 @@ function logIn($remember = false) {
$this->NumVisit++;
if($remember) {
- $token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($this->ID));
- $this->RememberLoginToken = $token;
+ $generator = new RandomGenerator();
+ $this->RememberLoginToken = $generator->generateHash('sha1');
Cookie::set('alc_enc', $this->ID . ':' . $token, 90, null, null, null, true);
} else {
$this->RememberLoginToken = null;
@@ -395,9 +395,9 @@ static function autoLogin() {
Session::set("loggedInAs", $member->ID);
// This lets apache rules detect whether the user has logged in
if(self::$login_marker_cookie) Cookie::set(self::$login_marker_cookie, 1, 0, null, null, false, true);
-
- $token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($member->ID));
- $member->RememberLoginToken = $token;
+
+ $generator = new RandomGenerator();
+ $member->RememberLoginToken = $generator->generateHash('sha1');
Cookie::set('alc_enc', $member->ID . ':' . $token, 90, null, null, false, true);
$member->NumVisit++;
@@ -442,8 +442,8 @@ function logOut() {
function generateAutologinHash($lifetime = 2) {
do {
- $hash = substr(base_convert(md5(uniqid(mt_rand(), true)), 16, 36),
- 0, 30);
+ $generator = new RandomGenerator();
+ $hash = $generator->generateHash('sha1');
} while(DataObject::get_one('Member', "\"AutoLoginHash\" = '$hash'"));
$this->AutoLoginHash = $hash;

0 comments on commit a0a88af

Please sign in to comment.