diff --git a/include/class.csrf.php b/include/class.csrf.php
index 806217284b4ca7f381d37496fb763462fedbe0d1..cdd04a29258c9c7daa4056b6a886e32a52ce096e 100644
--- a/include/class.csrf.php
+++ b/include/class.csrf.php
@@ -53,16 +53,11 @@ Class CSRF {
return $this->name;
}
- function getToken($len=32) {
+ function getToken() {
if(!$this->csrf['token'] || $this->isExpired()) {
- $len = $len>8?$len:32;
- $r = '';
- for ($i = 0; $i <= $len; $i++)
- $r .= chr(mt_rand(0, 255));
-
- $this->csrf['token'] = base64_encode(sha1(session_id().$r.SECRET_SALT));
+ $this->csrf['token'] = sha1(session_id().Crypto::randcode(16).SECRET_SALT);
$this->csrf['time'] = time();
} else {
//Reset the timer
diff --git a/include/class.staff.php b/include/class.staff.php
index 4e375bb10ec473aeb68776a4d08993ff5447770e..e0220120c0ca497bc12482296d6e08ffe84c257f 100644
--- a/include/class.staff.php
+++ b/include/class.staff.php
@@ -657,7 +657,7 @@ class Staff {
db_query($sql);
//Now set session crap and lets roll baby!
$_SESSION['_staff'] = array(); //clear.
- $_SESSION['_staff']['userID'] = $username;
+ $_SESSION['_staff']['userID'] = $user->getId();
$user->refreshSession(); //set the hash.
$_SESSION['TZ_OFFSET'] = $user->getTZoffset();
$_SESSION['TZ_DST'] = $user->observeDaylight();
@@ -742,8 +742,9 @@ class Staff {
if(!$vars['lastname'])
$errors['lastname']='Last name required';
- if(!$vars['username'] || strlen($vars['username'])<2)
- $errors['username']='Username required';
+ $error = '';
+ if(!$vars['username'] || !Validator::is_username($vars['username'], $error))
+ $errors['username']=($error) ? $error : 'Username required';
elseif(($uid=Staff::getIdByUsername($vars['username'])) && $uid!=$id)
$errors['username']='Username already in use';
diff --git a/include/class.usersession.php b/include/class.usersession.php
index 5e10df43f2d1e3c6b028b788980543b121ca8aca..b596934cf0da76c95f681899935672f04aac3f74 100644
--- a/include/class.usersession.php
+++ b/include/class.usersession.php
@@ -147,7 +147,7 @@ class StaffSession extends Staff {
function StaffSession($var){
parent::Staff($var);
- $this->session= new UserSession($var);
+ $this->session= new UserSession($this->getId());
}
function isValid(){
diff --git a/include/class.validator.php b/include/class.validator.php
index e8bf851a55f76dbc96f6e0d248e9866d180f0b03..f01bcb38ca85f799c9a7d8a187624907228d8941 100644
--- a/include/class.validator.php
+++ b/include/class.validator.php
@@ -111,8 +111,9 @@ class Validator {
$this->errors[$k]=$field['error'].' (5 chars min)';
break;
case 'username':
- if(strlen($this->input[$k])<2)
- $this->errors[$k]=$field['error'].' (2 chars min)';
+ $error = '';
+ if (!$this->is_username($this->input[$k], $error))
+ $this->errors[$k]=$field['error'].": $error";
break;
case 'zipcode':
if(!is_numeric($this->input[$k]) || (strlen($this->input[$k])!=5))
@@ -169,6 +170,14 @@ class Validator {
return false;
}
+ function is_username($username, &$error='') {
+ if (strlen($username)<2)
+ $error = 'At least two (2) characters';
+ elseif (!preg_match('/^[\w._-]+$/', $username))
+ $error = 'Username contains invalid characters';
+ return $error == '';
+ }
+
function process($fields,$vars,&$errors){
$val = new Validator();
diff --git a/include/staff/login.header.php b/include/staff/login.header.php
index 679a509f96baa7f581bf8463048d3b642531d51a..cf6fbddba8533edba2f7c4c8d960df48007bcb66 100644
--- a/include/staff/login.header.php
+++ b/include/staff/login.header.php
@@ -5,6 +5,7 @@ defined('OSTSCPINC') or die('Invalid path');
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
+ <meta http-equiv="refresh" content="7200" />
<title>osTicket:: SCP Login</title>
<link rel="stylesheet" href="css/login.css" type="text/css" />
<meta name="robots" content="noindex" />
diff --git a/include/staff/login.tpl.php b/include/staff/login.tpl.php
index 6d5435732128d556219c0230bdfb66004bdc21e7..1f3bb55e0c1565f6d9b6908c7359018c56d1bdaa 100644
--- a/include/staff/login.tpl.php
+++ b/include/staff/login.tpl.php
@@ -9,7 +9,7 @@ $info = ($_POST && $errors)?Format::htmlchars($_POST):array();
<?php csrf_token(); ?>
<input type="hidden" name="do" value="scplogin">
<fieldset>
- <input type="text" name="userid" id="name" value="<?php echo $info['username']; ?>" placeholder="username" autocorrect="off" autocapitalize="off">
+ <input type="text" name="userid" id="name" value="<?php echo $info['userid']; ?>" placeholder="username" autocorrect="off" autocapitalize="off">
<input type="password" name="passwd" id="pass" placeholder="password" autocorrect="off" autocapitalize="off">
</fieldset>
<?php if ($_SESSION['_staff']['strikes'] > 1 && $cfg->allowPasswordReset()) { ?>
diff --git a/scp/staff.inc.php b/scp/staff.inc.php
index 54ff91b9976bc4e3ddbc558e07d5f205c1ee2d06..0c835d46a780a5acf439af2268da039a73335905 100644
--- a/scp/staff.inc.php
+++ b/scp/staff.inc.php
@@ -58,7 +58,7 @@ if(!function_exists('staffLoginPage')) { //Ajax interface can pre-declare the fu
$thisstaff = new StaffSession($_SESSION['_staff']['userID']); //Set staff object.
//1) is the user Logged in for real && is staff.
-if(!$thisstaff || !is_object($thisstaff) || !$thisstaff->getId() || !$thisstaff->isValid()){
+if(!$thisstaff->getId() || !$thisstaff->isValid()){
if (isset($_SESSION['_staff']['auth']['msg'])) {
$msg = $_SESSION['_staff']['auth']['msg'];
unset($_SESSION['_staff']['auth']['msg']);