openrat-cms

commit 52a8eabbf75cacf4b77467a3c726d3ab2d61c256
parent 09b4c9032ca39f41070c6743637650a952f1d71a
Author: dankert <devnull@localhost>
Date:   Tue, 23 Feb 2010 23:14:33 +0100

Konfigurieren von POST-Token und Session-Erneuerung.

Diffstat:
actionClasses/IndexAction.class.php
 | 
6
++++--
config/security.ini.php
 | 
12
++++++++++++
do.php
 | 
6
+++---

3 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/actionClasses/IndexAction.class.php b/actionClasses/IndexAction.class.php
@@ -671,7 +671,8 @@ class IndexAction extends Action
 		else
 		{
 			// Anmeldung erfolgreich.
-			$this->recreateSession();
+			if	( config('security','renew_session_login') )
+				$this->recreateSession();
 			
 			$user = Session::getUser();
 			$this->addNotice('user',$user->name,'LOGIN_OK',OR_NOTICE_OK,array('name'=>$user->fullname));
@@ -749,7 +750,8 @@ class IndexAction extends Action
 		// Loeschen der Session.
 		session_destroy();
 		*/
-		$this->recreateSession();
+		if	( config('security','renew_session_logout') )
+			$this->recreateSession();
 		
 		if	( @$conf['theme']['compiler']['compile_at_logout'])
 		{
diff --git a/config/security.ini.php b/config/security.ini.php
@@ -44,6 +44,18 @@ disable_dynamic_code = true
 show_system_info = true
 
 
+; Useful against CSRF-attacks, this adds a token to all POST request.
+use_post_token=true
+
+; Creates a new Session on login.
+; Useful against session fixation attacks.
+renew_session_login=true
+
+; Creates a new Session on logout.
+; Useful against session fixation attacks. 
+renew_session_logout=true
+
+
 
 ; Default Login
 ; These values are used for the login form.
diff --git a/do.php b/do.php
@@ -93,9 +93,6 @@ if (version_compare(PHP_VERSION, '5.1.0', '>'))
 session_start();
 require_once( OR_SERVICECLASSES_DIR."Session.class.".PHP_EXT );
 
-if	( $_SERVER['REQUEST_METHOD'] == 'POST' && $REQ[REQ_PARAM_TOKEN]!=token() )
-	Http::notAuthorized("Token mismatch");
-
 // Vorhandene Konfiguration aus der Sitzung lesen.
 $conf = Session::getConfig();
  
@@ -159,6 +156,9 @@ if	( !empty($conf['security']['umask']) )
 if	( !empty($conf['interface']['timeout']) )
 	set_time_limit( intval($conf['interface']['timeout']) );
 
+if	( config('security','use_post_token') && $_SERVER['REQUEST_METHOD'] == 'POST' && $REQ[REQ_PARAM_TOKEN]!=token() )
+	Http::notAuthorized("Token mismatch");
+	
 define('FILE_SEP',$conf['interface']['file_separator']);
 
 define('TEMPLATE_DIR',OR_THEMES_DIR.$conf['interface']['theme'].'/templates');