csrf: Fix CRSF violation on client login

54b8a8ce · Jared Hancock · 07c1d79f · 54b8a8ce · 54b8a8ce
Commit 54b8a8ce authored 9 years ago by Jared Hancock
--- a/login.php
+++ b/login.php
@@ -32,19 +32,6 @@ else
 $suggest_pwreset = false;
-// Check the CSRF token, and ensure that future requests will have to use a
-// different CSRF token. This will help ward off both parallel and serial
-// brute force attacks, because new tokens will have to be requested for
-// each attempt.
-if ($_POST) {
-    // Check CSRF token
-    if (!$ost->checkCSRFToken())
-        Http::response(400, __('Valid CSRF Token Required'));
-    // Rotate the CSRF token (original cannot be reused)
-    $ost->getCSRF()->rotate();
-}
 if ($_POST && isset($_POST['luser'])) {
    if (!$_POST['luser'])
        $errors['err'] = __('Valid username or email address is required');

--- a/scp/css/scp.css
+++ b/scp/css/scp.css
@@ -1249,7 +1249,7 @@ ul.tabs.alt li.active {
    display:block;
    height:30px;
    position:absolute;
-    z-index:5;
+    z-index:10;
 }
 .tip_arrow {
@@ -1258,7 +1258,7 @@ ul.tabs.alt li.active {
    top:5px;
    left:-12px;
    width:12px;
-    z-index:102;
+    z-index:1;
 }
 .tip_box.right .tip_arrow {