mirror of
https://github.com/maxpozdeev/mytinytodo.git
synced 2026-03-11 08:55:27 +00:00
* check csrf token on login; regenerate session id on logout instead of login
This commit is contained in:
parent
b7e220415d
commit
454ed8940f
1 changed files with 2 additions and 1 deletions
|
|
@ -301,6 +301,7 @@ elseif(isset($_GET['changeOrder']))
|
|||
}
|
||||
elseif(isset($_POST['login']))
|
||||
{
|
||||
check_token();
|
||||
$t = array('logged' => 0);
|
||||
if (!need_auth()) {
|
||||
$t['disabled'] = 1;
|
||||
|
|
@ -308,7 +309,6 @@ elseif(isset($_POST['login']))
|
|||
}
|
||||
if ( isPasswordEqualsToHash(_post('password'), Config::get('password')) ) {
|
||||
$t['logged'] = 1;
|
||||
session_regenerate_id(1);
|
||||
$_SESSION['logged'] = 1;
|
||||
$_SESSION['token'] = generateUUID();
|
||||
$_SESSION['sign'] = idSignature(session_id(), Config::get('password'), defined('MTT_SALT') ? MTT_SALT : '');
|
||||
|
|
@ -321,6 +321,7 @@ elseif(isset($_POST['logout']))
|
|||
unset($_SESSION['logged']);
|
||||
unset($_SESSION['token']);
|
||||
unset($_SESSION['sign']);
|
||||
session_regenerate_id(1);
|
||||
$t = array('logged' => 0);
|
||||
jsonExit($t);
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue