Skip to content
Snippets Groups Projects
Commit aab5b8a2 authored by Jared Hancock's avatar Jared Hancock
Browse files

csrf: Revert rotation of the token on each submission

parent 772d5c59
No related branches found
No related tags found
No related merge requests found
...@@ -71,11 +71,7 @@ Class CSRF { ...@@ -71,11 +71,7 @@ Class CSRF {
} }
function validateToken($token) { function validateToken($token) {
$rv = $token && trim($token)==$this->getToken() && !$this->isExpired(); return ($token && trim($token)==$this->getToken() && !$this->isExpired());
// Prevent the token from being reused
if ($rv && !defined('AJAX_REQUEST'))
$this->rotate();
return $rv;
} }
function getFormInput($name='') { function getFormInput($name='') {
......
...@@ -32,6 +32,19 @@ else ...@@ -32,6 +32,19 @@ else
$suggest_pwreset = false; $suggest_pwreset = false;
// Check the CSRF token, and ensure that future requests will have to use a
// different CSRF token. This will help ward off both parallel and serial
// brute force attacks, because new tokens will have to be requested for
// each attempt.
if ($_POST) {
// Check CSRF token
if (!$ost->checkCSRFToken())
Http::response(400, __('Valid CSRF Token Required'));
// Rotate the CSRF token (original cannot be reused)
$ost->getCSRF()->rotate();
}
if ($_POST && isset($_POST['luser'])) { if ($_POST && isset($_POST['luser'])) {
if (!$_POST['luser']) if (!$_POST['luser'])
$errors['err'] = __('Valid username or email address is required'); $errors['err'] = __('Valid username or email address is required');
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment