Removed sectoken

This token is completly useless since an attacker can easily extract it
from the page.
This commit is contained in:
Lukas Reschke 2012-09-29 15:18:38 +02:00
parent f5fe95a131
commit 578aa4e425
3 changed files with 1 additions and 9 deletions

View File

@ -12,7 +12,6 @@
<p class="infield">
<label for="password" class="infield"><?php echo $l->t( 'Password' ); ?></label>
<input type="password" name="password" id="password" value="" required<?php echo $_['user_autofocus']?'':' autofocus'; ?> />
<input type="hidden" name="sectoken" id="sectoken" value="<?php echo($_['sectoken']); ?>" />
</p>
<input type="checkbox" name="remember_login" value="1" id="remember_login" /><label for="remember_login"><?php echo $l->t('remember'); ?></label>
<input type="submit" id="submit" class="login" value="<?php echo $l->t( 'Log in' ); ?>" />

View File

@ -528,11 +528,7 @@ class OC{
}
protected static function tryFormLogin() {
if(!isset($_POST["user"])
|| !isset($_POST['password'])
|| !isset($_SESSION['sectoken'])
|| !isset($_POST['sectoken'])
|| ($_SESSION['sectoken']!=$_POST['sectoken']) ) {
if(!isset($_POST["user"]) || !isset($_POST['password'])) {
return false;
}

View File

@ -314,9 +314,6 @@ class OC_Util {
$parameters["username"] = '';
$parameters['user_autofocus'] = true;
}
$sectoken=rand(1000000,9999999);
$_SESSION['sectoken']=$sectoken;
$parameters["sectoken"] = $sectoken;
if (isset($_REQUEST['redirect_url'])) {
$redirect_url = OC_Util::sanitizeHTML($_REQUEST['redirect_url']);
} else {