commit 52a8eabbf75cacf4b77467a3c726d3ab2d61c256
parent 09b4c9032ca39f41070c6743637650a952f1d71a
Author: dankert <devnull@localhost>
Date: Tue, 23 Feb 2010 23:14:33 +0100
Konfigurieren von POST-Token und Session-Erneuerung.
Diffstat:
3 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/actionClasses/IndexAction.class.php b/actionClasses/IndexAction.class.php
@@ -671,7 +671,8 @@ class IndexAction extends Action
else
{
// Anmeldung erfolgreich.
- $this->recreateSession();
+ if ( config('security','renew_session_login') )
+ $this->recreateSession();
$user = Session::getUser();
$this->addNotice('user',$user->name,'LOGIN_OK',OR_NOTICE_OK,array('name'=>$user->fullname));
@@ -749,7 +750,8 @@ class IndexAction extends Action
// Loeschen der Session.
session_destroy();
*/
- $this->recreateSession();
+ if ( config('security','renew_session_logout') )
+ $this->recreateSession();
if ( @$conf['theme']['compiler']['compile_at_logout'])
{
diff --git a/config/security.ini.php b/config/security.ini.php
@@ -44,6 +44,18 @@ disable_dynamic_code = true
show_system_info = true
+; Useful against CSRF-attacks, this adds a token to all POST request.
+use_post_token=true
+
+; Creates a new Session on login.
+; Useful against session fixation attacks.
+renew_session_login=true
+
+; Creates a new Session on logout.
+; Useful against session fixation attacks.
+renew_session_logout=true
+
+
; Default Login
; These values are used for the login form.
diff --git a/do.php b/do.php
@@ -93,9 +93,6 @@ if (version_compare(PHP_VERSION, '5.1.0', '>'))
session_start();
require_once( OR_SERVICECLASSES_DIR."Session.class.".PHP_EXT );
-if ( $_SERVER['REQUEST_METHOD'] == 'POST' && $REQ[REQ_PARAM_TOKEN]!=token() )
- Http::notAuthorized("Token mismatch");
-
// Vorhandene Konfiguration aus der Sitzung lesen.
$conf = Session::getConfig();
@@ -159,6 +156,9 @@ if ( !empty($conf['security']['umask']) )
if ( !empty($conf['interface']['timeout']) )
set_time_limit( intval($conf['interface']['timeout']) );
+if ( config('security','use_post_token') && $_SERVER['REQUEST_METHOD'] == 'POST' && $REQ[REQ_PARAM_TOKEN]!=token() )
+ Http::notAuthorized("Token mismatch");
+
define('FILE_SEP',$conf['interface']['file_separator']);
define('TEMPLATE_DIR',OR_THEMES_DIR.$conf['interface']['theme'].'/templates');