diff options
| author | Simon Rettberg | 2016-05-19 15:46:30 +0200 |
|---|---|---|
| committer | Simon Rettberg | 2016-05-19 15:46:30 +0200 |
| commit | bc959df0c9df3fdf250fb93ef30dbb81cbd848c7 (patch) | |
| tree | 15344f7f9db92c4a9698015af5ca2fa0f03dec5d /inc/util.inc.php | |
| parent | [baseconfig] Remove pointless TODO (diff) | |
| download | slx-admin-bc959df0c9df3fdf250fb93ef30dbb81cbd848c7.tar.gz slx-admin-bc959df0c9df3fdf250fb93ef30dbb81cbd848c7.tar.xz slx-admin-bc959df0c9df3fdf250fb93ef30dbb81cbd848c7.zip | |
Fix CSRF token checking; improve token/sid generation
Diffstat (limited to 'inc/util.inc.php')
| -rw-r--r-- | inc/util.inc.php | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/inc/util.inc.php b/inc/util.inc.php index c0b77f96..1b29aa39 100644 --- a/inc/util.inc.php +++ b/inc/util.inc.php @@ -103,7 +103,7 @@ SADFACE; } /** - * Verify the user's token that protects agains CSRF. + * Verify the user's token that protects against CSRF. * If the user is logged in and there is no token variable set in * the request, or the submitted token does not match the user's * token, this function will return false and display an error. @@ -111,9 +111,9 @@ SADFACE; */ public static function verifyToken() { - if (Session::get('main.token') === false) + if (!User::isLoggedIn() && Session::get('token') === false) return true; - if (isset($_REQUEST['main.token']) && Session::get('main.token') === $_REQUEST['main.token']) + if (isset($_REQUEST['token']) && Session::get('token') === $_REQUEST['token']) return true; Message::addError('main.token'); return false; |