diff --git a/core/ajax/requesttoken.php b/core/ajax/requesttoken.php
deleted file mode 100644
index 9d43a72285..0000000000
--- a/core/ajax/requesttoken.php
+++ /dev/null
@@ -1,40 +0,0 @@
-
-*
-* This library is free software; you can redistribute it and/or
-* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
-* License as published by the Free Software Foundation; either
-* version 3 of the license, or any later version.
-*
-* This library is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-* GNU AFFERO GENERAL PUBLIC LICENSE for more details.
-*
-* You should have received a copy of the GNU Affero General Public
-* License along with this library.
-* If not, see .
-*
-*/
-
-/**
- * @file core/ajax/requesttoken.php
- * @brief Ajax method to retrieve a fresh request protection token for ajax calls
- * @return json: success/error state indicator including a fresh request token
- * @author Christian Reiner
- */
-
-// don't load apps or filesystem for this task
-$RUNTIME_NOAPPS = true;
-$RUNTIME_NOSETUPFS = true;
-
-// Sanity checks
-// using OCP\JSON::callCheck() below protects the token refreshing itself.
-//OCP\JSON::callCheck ( );
-OCP\JSON::checkLoggedIn ( );
-// hand out a fresh token
-OCP\JSON::success ( array ( 'token' => OCP\Util::callRegister() ) );
-?>
diff --git a/core/js/eventsource.js b/core/js/eventsource.js
index 45c63715a7..e3ad7e3a67 100644
--- a/core/js/eventsource.js
+++ b/core/js/eventsource.js
@@ -40,7 +40,7 @@ OC.EventSource=function(src,data){
dataStr+=name+'='+encodeURIComponent(data[name])+'&';
}
}
- dataStr+='requesttoken='+OC.Request.Token;
+ dataStr+='requesttoken='+OC.EventSource.requesttoken;
if(!this.useFallBack && typeof EventSource !='undefined'){
this.source=new EventSource(src+'?'+dataStr);
this.source.onmessage=function(e){
diff --git a/core/js/requesttoken.js b/core/js/requesttoken.js
deleted file mode 100644
index 0d78cd7e93..0000000000
--- a/core/js/requesttoken.js
+++ /dev/null
@@ -1,55 +0,0 @@
-/**
- * ownCloud
- *
- * @file core/js/requesttoken.js
- * @brief Routine to refresh the Request protection request token periodically
- * @author Christian Reiner (arkascha)
- * @copyright 2011-2012 Christian Reiner
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
- * License as published by the Free Software Foundation; either
- * version 3 of the license, or any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU AFFERO GENERAL PUBLIC LICENSE for more details.
- *
- * You should have received a copy of the GNU Affero General Public
- * License along with this library.
- * If not, see .
- *
- */
-
-OC.Request = {
- // the request token
- Token: {},
- // the lifespan span (in secs)
- Lifespan: {},
- // method to refresh the local request token periodically
- Refresh: function(){
- // just a client side console log to preserve efficiency
- console.log("refreshing request token (lifebeat)");
- var dfd=new $.Deferred();
- $.ajax({
- type: 'POST',
- url: OC.filePath('core','ajax','requesttoken.php'),
- cache: false,
- data: { },
- dataType: 'json'
- }).done(function(response){
- // store refreshed token inside this class
- OC.Request.Token=response.token;
- dfd.resolve();
- }).fail(dfd.reject);
- return dfd;
- }
-}
-// accept requesttoken and lifespan into the OC namespace
-OC.Request.Token = oc_requesttoken;
-OC.Request.Lifespan = oc_requestlifespan;
-// refresh the request token periodically shortly before it becomes invalid on the server side
-setInterval(OC.Request.Refresh,Math.floor(1000*OC.Request.Lifespan*0.93)), // 93% of lifespan value, close to when the token expires
-// early bind token as additional ajax argument for every single request
-$(document).bind('ajaxSend', function(elm, xhr, s){xhr.setRequestHeader('requesttoken', OC.Request.Token);});
diff --git a/core/routes.php b/core/routes.php
index cc0aa53a21..6f99935668 100644
--- a/core/routes.php
+++ b/core/routes.php
@@ -13,9 +13,6 @@ $this->create('search_ajax_search', '/search/ajax/search.php')
// AppConfig
$this->create('core_ajax_appconfig', '/core/ajax/appconfig.php')
->actionInclude('core/ajax/appconfig.php');
-// RequestToken
-$this->create('core_ajax_requesttoken', '/core/ajax/requesttoken.php')
- ->actionInclude('core/ajax/requesttoken.php');
// Share
$this->create('core_ajax_share', '/core/ajax/share.php')
->actionInclude('core/ajax/share.php');
diff --git a/core/templates/layout.base.php b/core/templates/layout.base.php
index f78b6ff8bb..d8f8305877 100644
--- a/core/templates/layout.base.php
+++ b/core/templates/layout.base.php
@@ -11,7 +11,6 @@
var oc_webroot = '';
var oc_appswebroots = ;
var oc_requesttoken = '';
- var oc_requestlifespan = '';
diff --git a/core/templates/layout.guest.php b/core/templates/layout.guest.php
index e6468cdcfb..2eaa517b32 100644
--- a/core/templates/layout.guest.php
+++ b/core/templates/layout.guest.php
@@ -11,7 +11,6 @@
var oc_webroot = '';
var oc_appswebroots = ;
var oc_requesttoken = '';
- var oc_requestlifespan = '';
var datepickerFormatDate = l('jsdate', 'jsdate')) ?>;
var dayNames = t('Sunday'), (string)$l->t('Monday'), (string)$l->t('Tuesday'), (string)$l->t('Wednesday'), (string)$l->t('Thursday'), (string)$l->t('Friday'), (string)$l->t('Saturday'))) ?>;
var monthNames = t('January'), (string)$l->t('February'), (string)$l->t('March'), (string)$l->t('April'), (string)$l->t('May'), (string)$l->t('June'), (string)$l->t('July'), (string)$l->t('August'), (string)$l->t('September'), (string)$l->t('October'), (string)$l->t('November'), (string)$l->t('December'))) ?>;
diff --git a/core/templates/layout.user.php b/core/templates/layout.user.php
index d876fbc98e..451a4685e8 100644
--- a/core/templates/layout.user.php
+++ b/core/templates/layout.user.php
@@ -12,7 +12,6 @@
var oc_appswebroots = ;
var oc_current_user = '';
var oc_requesttoken = '';
- var oc_requestlifespan = '';
var datepickerFormatDate = l('jsdate', 'jsdate')) ?>;
var dayNames = t('Sunday'), (string)$l->t('Monday'), (string)$l->t('Tuesday'), (string)$l->t('Wednesday'), (string)$l->t('Thursday'), (string)$l->t('Friday'), (string)$l->t('Saturday'))) ?>;
var monthNames = t('January'), (string)$l->t('February'), (string)$l->t('March'), (string)$l->t('April'), (string)$l->t('May'), (string)$l->t('June'), (string)$l->t('July'), (string)$l->t('August'), (string)$l->t('September'), (string)$l->t('October'), (string)$l->t('November'), (string)$l->t('December'))) ?>;
@@ -21,6 +20,13 @@
+
application = $app;
$this->vars = array();
$this->vars['requesttoken'] = OC_Util::callRegister();
- $this->vars['requestlifespan'] = OC_Util::$callLifespan;
$parts = explode('/', $app); // fix translation when app is something like core/lostpassword
$this->l10n = OC_L10N::get($parts[0]);
@@ -391,7 +390,6 @@ class OC_Template{
$page = new OC_TemplateLayout($this->renderas);
if($this->renderas == 'user') {
$page->assign('requesttoken', $this->vars['requesttoken']);
- $page->assign('requestlifespan', $this->vars['requestlifespan']);
}
// Add custom headers
diff --git a/lib/util.php b/lib/util.php
index a9bc5c061c..5907cc46a0 100755
--- a/lib/util.php
+++ b/lib/util.php
@@ -472,17 +472,6 @@ class OC_Util {
return $id;
}
- /**
- * @brief Static lifespan (in seconds) when a request token expires.
- * @see OC_Util::callRegister()
- * @see OC_Util::isCallRegistered()
- * @description
- * Also required for the client side to compute the piont in time when to
- * request a fresh token. The client will do so when nearly 97% of the
- * timespan coded here has expired.
- */
- public static $callLifespan = 3600; // 3600 secs = 1 hour
-
/**
* @brief Register an get/post call. Important to prevent CSRF attacks.
* @todo Write howto: CSRF protection guide
@@ -491,30 +480,24 @@ class OC_Util {
* Creates a 'request token' (random) and stores it inside the session.
* Ever subsequent (ajax) request must use such a valid token to succeed,
* otherwise the request will be denied as a protection against CSRF.
- * The tokens expire after a fixed lifespan.
- * @see OC_Util::$callLifespan
* @see OC_Util::isCallRegistered()
*/
public static function callRegister() {
// Check if a token exists
- if(!isset($_SESSION['requesttoken']) || time() >$_SESSION['requesttoken']['time']) {
+ if(!isset($_SESSION['requesttoken'])) {
// No valid token found, generate a new one.
- $requestTokenArray = array(
- "requesttoken" => self::generate_random_bytes(20),
- "time" => time()+self::$callLifespan,
- );
- $_SESSION['requesttoken']=$requestTokenArray;
+ $requestToken = self::generate_random_bytes(20);
+ $_SESSION['requesttoken']=$requestToken;
} else {
// Valid token already exists, send it
- $requestTokenArray = $_SESSION['requesttoken'];
+ $requestToken = $_SESSION['requesttoken'];
}
- return($requestTokenArray['requesttoken']);
+ return($requestToken);
}
/**
* @brief Check an ajax get/post call if the request token is valid.
* @return boolean False if request token is not set or is invalid.
- * @see OC_Util::$callLifespan
* @see OC_Util::callRegister()
*/
public static function isCallRegistered() {
@@ -530,7 +513,7 @@ class OC_Util {
}
// Check if the token is valid
- if(!isset($_SESSION['requesttoken']) || time() > $_SESSION['requesttoken']["time"]) {
+ if($token !== $_SESSION['requesttoken']) {
// Not valid
return false;
} else {