mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

further improvements on multiple login token support 

outdated tokens are deleted before checking against cookies
if an invalid token is used we delete all stored tokens for saveness
used token will be replaced by a new one after successful authentication
This commit is contained in:
Michael Göhler 2012-10-11 11:38:42 +02:00
parent ee5d0f328f
commit 45f1c3f120
1 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
lib/base.php
View File

@ -536,15 +536,25 @@ class OC{
}
// confirm credentials in cookie
if(isset($_COOKIE['oc_token']) && OC_User::userExists($_COOKIE['oc_username'])) {
// delete outdated cookies
cleanupLoginTokens($_COOKIE['oc_username']);
// get new tokens
$tokens = OC_Preferences::getKeys($_COOKIE['oc_username'], 'login_token');
$tokens[] = OC_Preferences::getValue($_COOKIE['oc_username'], 'login', 'token');
// test cookies token against stored tokens
if (in_array($_COOKIE['oc_token'], $tokens, true)) {
self::cleanupLoginTokens($_COOKIE['oc_username']);
// replace successfully used token with a new one
OC_Preferences::deleteKey($_POST['user'], 'login_token', $_COOKIE['oc_token']);
$token = md5($_POST["user"].OC_Util::generate_random_bytes(10).$_COOKIE['oc_token']);
OC_Preferences::setValue($_POST['user'], 'login_token', $token, time());
OC_User::setMagicInCookie($_POST['user'], $token);
// login
OC_User::setUserId($_COOKIE['oc_username']);
OC_Util::redirectToDefaultPage();
// doesn't return
}
OC_Preferences::deleteKey($_POST['user'], 'login_token', $_COOKIE['oc_token']);
// if you reach this point you are an attacker
// we remove all tokens to be save
OC_Preferences::deleteApp($_POST['user'], 'login_token');
}
OC_User::unsetMagicInCookie();
return true;