Commit 0aa8124e authored by Tim Steiner's avatar Tim Steiner
Browse files

Ignore the IP Address check from the XSRF token and add a user agent check.

parent 1142b8c7
......@@ -59,7 +59,8 @@ class Unl_XsrfToken
$token = array(
'expires' => $expires,
'formUrl' => $_SERVER['SCRIPT_URI'],
'remoteAddress' => $_SERVER['REMOTE_ADDR']
'remoteAddress' => $_SERVER['REMOTE_ADDR'],
'userAgent' => $_SERVER['HTTP_USER_AGENT'],
);
$tokenId = base64_encode(hash('sha256', microtime(TRUE), TRUE));
$this->_session->tokens[$tokenId] = $token;
......@@ -87,13 +88,17 @@ class Unl_XsrfToken
return FALSE;
}
if ($token['remoteAddress'] != $_SERVER['REMOTE_ADDR']) {
$log->log('XSRF: Remote address changed.', Zend_Log::ERR);
return FALSE;
$log->log('XSRF: Remote address changed. (ignoring)', Zend_Log::ERR);
//return FALSE;
}
if ($token['formUrl'] != $_SERVER['HTTP_REFERER']) {
$log->log('XSRF: Referer doesn\'t match form url.', Zend_Log::ERR);
return FALSE;
}
if ($token['userAgent'] != $_SERVER['HTTP_USER_AGENT']) {
$log->log('XSRF: User agent has changed.', Zend_Log::ERR);
return FALSE;
}
if ($onceOnly) {
unset($this->_session->tokens[$tokenId]);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment