Commit 0aa8124e authored by Tim Steiner's avatar Tim Steiner
Browse files

Ignore the IP Address check from the XSRF token and add a user agent check.

parent 1142b8c7
...@@ -59,7 +59,8 @@ class Unl_XsrfToken ...@@ -59,7 +59,8 @@ class Unl_XsrfToken
$token = array( $token = array(
'expires' => $expires, 'expires' => $expires,
'formUrl' => $_SERVER['SCRIPT_URI'], 'formUrl' => $_SERVER['SCRIPT_URI'],
'remoteAddress' => $_SERVER['REMOTE_ADDR'] 'remoteAddress' => $_SERVER['REMOTE_ADDR'],
'userAgent' => $_SERVER['HTTP_USER_AGENT'],
); );
$tokenId = base64_encode(hash('sha256', microtime(TRUE), TRUE)); $tokenId = base64_encode(hash('sha256', microtime(TRUE), TRUE));
$this->_session->tokens[$tokenId] = $token; $this->_session->tokens[$tokenId] = $token;
...@@ -87,13 +88,17 @@ class Unl_XsrfToken ...@@ -87,13 +88,17 @@ class Unl_XsrfToken
return FALSE; return FALSE;
} }
if ($token['remoteAddress'] != $_SERVER['REMOTE_ADDR']) { if ($token['remoteAddress'] != $_SERVER['REMOTE_ADDR']) {
$log->log('XSRF: Remote address changed.', Zend_Log::ERR); $log->log('XSRF: Remote address changed. (ignoring)', Zend_Log::ERR);
return FALSE; //return FALSE;
} }
if ($token['formUrl'] != $_SERVER['HTTP_REFERER']) { if ($token['formUrl'] != $_SERVER['HTTP_REFERER']) {
$log->log('XSRF: Referer doesn\'t match form url.', Zend_Log::ERR); $log->log('XSRF: Referer doesn\'t match form url.', Zend_Log::ERR);
return FALSE; return FALSE;
} }
if ($token['userAgent'] != $_SERVER['HTTP_USER_AGENT']) {
$log->log('XSRF: User agent has changed.', Zend_Log::ERR);
return FALSE;
}
if ($onceOnly) { if ($onceOnly) {
unset($this->_session->tokens[$tokenId]); unset($this->_session->tokens[$tokenId]);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment