csrf: Revert rotation of the token on each submission

aab5b8a2 · Jared Hancock · 772d5c59 · aab5b8a2 · aab5b8a2
Commit aab5b8a2 authored 9 years ago by Jared Hancock
--- a/include/class.csrf.php
+++ b/include/class.csrf.php
@@ -71,11 +71,7 @@ Class CSRF {
    }

    function validateToken($token) {
-        $rv = $token && trim($token)==$this->getToken() && !$this->isExpired();
-        // Prevent the token from being reused
-        if ($rv && !defined('AJAX_REQUEST'))
-            $this->rotate();
-        return $rv;
+        return ($token && trim($token)==$this->getToken() && !$this->isExpired());
    }

    function getFormInput($name='') {

--- a/login.php
+++ b/login.php
@@ -32,6 +32,19 @@ else

 $suggest_pwreset = false;

+// Check the CSRF token, and ensure that future requests will have to use a
+// different CSRF token. This will help ward off both parallel and serial
+// brute force attacks, because new tokens will have to be requested for
+// each attempt.
+if ($_POST) {
+    // Check CSRF token
+    if (!$ost->checkCSRFToken())
+        Http::response(400, __('Valid CSRF Token Required'));
+
+    // Rotate the CSRF token (original cannot be reused)
+    $ost->getCSRF()->rotate();
+}
+
 if ($_POST && isset($_POST['luser'])) {
    if (!$_POST['luser'])
        $errors['err'] = __('Valid username or email address is required');