[Mrbs-commits] SF.net Hg: hg-code [976bc09f8cd6]: Cookie session changes:

Fri, 16 Oct 2015 14:07:58 -0700 

Changeset:
        976bc09f8cd6
        
https://sourceforge.net/p/mrbs/hg-code/ci/976bc09f8cd625e309e678b14df0a002475e3201
Author:
        John Beranek <[email protected]>
Date:
        Fri Oct 16 22:07:15 2015 +0100
Log message:

Cookie session changes:
 - Made hash algorithm configurable, and changed default to sha512
 - Fixed handling of logged-out user

diffstat:

 web/session/session_cookie.inc |  10 +++++-----
 web/systemdefaults.inc.php     |   4 +++-
 2 files changed, 8 insertions(+), 6 deletions(-)

diffs (61 lines):

diff -r 438e3e49db53 -r 976bc09f8cd6 web/session/session_cookie.inc
--- a/web/session/session_cookie.inc    Fri Oct 16 21:23:02 2015 +0100
+++ b/web/session/session_cookie.inc    Fri Oct 16 22:07:15 2015 +0100
@@ -94,7 +94,7 @@
     }
     $json_data = json_encode($session_data);
     $hash = hash_hmac(
-                      'ripemd160',
+                      $auth["session_cookie"]["hash_algorith"],
                       $json_data,
                       $auth['session_cookie']['secret']
                      );
@@ -217,7 +217,7 @@
 
   //error_log("Called getUserName()");
 
-  if (isset($cached_username))
+  if (!is_null($cached_username))
   {
     //error_log("cached");
     return $cached_username;
@@ -241,14 +241,14 @@
     }
   }
 
-  if (isset($token))
+  if ($token != "")
   {
     list($hash, $base64_data) = explode("_", $token);
     
     $json_data = base64_decode($base64_data);
 
     if (hash_hmac(
-                  'ripemd160',
+                  $auth["session_cookie"]["hash_algorith"],
                   $json_data,
                   $auth['session_cookie']['secret']
                  ) == $hash)
@@ -304,7 +304,7 @@
     $TargetURL = $TargetURL . "?" . $QUERY_STRING;
   }
   $user=getUserName();
-  if (isset($user))
+  if ($user != "")
   {
     // words 'you are xxxx' becomes a link to the
     // report page with only entries created by xxx. Past entries are not
diff -r 438e3e49db53 -r 976bc09f8cd6 web/systemdefaults.inc.php
--- a/web/systemdefaults.inc.php        Fri Oct 16 21:23:02 2015 +0100
+++ b/web/systemdefaults.inc.php        Fri Oct 16 22:07:15 2015 +0100
@@ -623,7 +623,9 @@
 // Increases security, but could cause problems with proxies/dynamic IP
 // machines
 $auth["session_cookie"]["include_ip"] = TRUE;
-
+// The hash algorithm to use, must be supported by your version of PHP,
+// see http://php.net/manual/en/function.hash-algos.php
+$auth["session_cookie"]["hash_algorith"] = 'sha512';
 
 // Configuration parameters for 'php' session scheme
 

------------------------------------------------------------------------------
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits

Reply via email to