diff options
Diffstat (limited to 'include')
| -rw-r--r-- | include/functions.php | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/include/functions.php b/include/functions.php index 9989d7ecf..4209cf6fa 100644 --- a/include/functions.php +++ b/include/functions.php @@ -581,7 +581,7 @@ $_SESSION["name"] = $row["login"]; $_SESSION["access_level"] = $row["access_level"]; - $_SESSION["csrf_token"] = uniqid_short(); + $_SESSION["csrf_token"] = bin2hex(get_random_bytes(16)); $usth = $pdo->prepare("UPDATE ttrss_users SET last_login = NOW() WHERE id = ?"); $usth->execute([$user_id]); @@ -608,9 +608,8 @@ $_SESSION["auth_module"] = false; - if (!$_SESSION["csrf_token"]) { - $_SESSION["csrf_token"] = uniqid_short(); - } + if (!$_SESSION["csrf_token"]) + $_SESSION["csrf_token"] = bin2hex(get_random_bytes(16)); $_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"]; @@ -680,7 +679,7 @@ } function validate_csrf($csrf_token) { - return $csrf_token === $_SESSION['csrf_token']; + return hash_equals($csrf_token, $_SESSION['csrf_token']); } function load_user_plugins($owner_uid, $pluginhost = false) { @@ -1669,7 +1668,9 @@ } function get_random_bytes($length) { - if (function_exists('openssl_random_pseudo_bytes')) { + if (function_exists('random_bytes')) { + return random_bytes($length); + } else if (function_exists('openssl_random_pseudo_bytes')) { return openssl_random_pseudo_bytes($length); } else { $output = ""; |