diff options
author | Andrew Dolgov <[email protected]> | 2011-12-26 12:02:52 +0400 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2011-12-26 12:02:52 +0400 |
commit | 8484ce22584b8714622833adcc7ebfe3ef9cf90e (patch) | |
tree | 057d7a64c3af60e2389d519ba19e476b5fbe6212 /include | |
parent | 036cd3a4106cf2eee0be72f0695458dfb517976b (diff) |
experimental CSRF protection
Diffstat (limited to 'include')
-rw-r--r-- | include/functions.php | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/include/functions.php b/include/functions.php index e561d8e3d..ed28fd257 100644 --- a/include/functions.php +++ b/include/functions.php @@ -721,6 +721,7 @@ $_SESSION["uid"] = db_fetch_result($result, 0, "id"); $_SESSION["name"] = db_fetch_result($result, 0, "login"); $_SESSION["access_level"] = db_fetch_result($result, 0, "access_level"); + $_SESSION["csrf_token"] = sha1(uniqid(rand(), true)); db_query($link, "UPDATE ttrss_users SET last_login = NOW() WHERE id = " . $_SESSION["uid"]); @@ -810,6 +811,10 @@ } } + function validate_csrf($csrf_token) { + return $csrf_token == $_SESSION['csrf_token']; + } + function validate_session($link) { if (SINGLE_USER_MODE) return true; @@ -2064,6 +2069,8 @@ $params["collapsed_feedlist"] = (int) get_pref($link, "_COLLAPSED_FEEDLIST"); + $params["csrf_token"] = $_SESSION["csrf_token"]; + return $params; } |