mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-01 05:39:10 +02:00
ENHANCEMENT Limiting "alc_enc" cookie (remember login token) to httpOnly to reduce risk of information exposure through XSS
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@86027 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
parent
8fbf530bf6
commit
2700d73e97
@ -217,7 +217,8 @@ class Member extends DataObject {
|
|||||||
if($remember) {
|
if($remember) {
|
||||||
$token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($this->ID));
|
$token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($this->ID));
|
||||||
$this->RememberLoginToken = $token;
|
$this->RememberLoginToken = $token;
|
||||||
Cookie::set('alc_enc', $this->ID . ':' . $token);
|
// Set cookie (with HTTPOnly flag if running on PHP 5.2 or newer)
|
||||||
|
Cookie::set('alc_enc', $this->ID . ':' . $token, 90, null, null, null, true);
|
||||||
} else {
|
} else {
|
||||||
$this->RememberLoginToken = null;
|
$this->RememberLoginToken = null;
|
||||||
Cookie::set('alc_enc', null);
|
Cookie::set('alc_enc', null);
|
||||||
@ -284,7 +285,7 @@ class Member extends DataObject {
|
|||||||
|
|
||||||
$token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($member->ID));
|
$token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($member->ID));
|
||||||
$member->RememberLoginToken = $token;
|
$member->RememberLoginToken = $token;
|
||||||
Cookie::set('alc_enc', $member->ID . ':' . $token);
|
Cookie::set('alc_enc', $member->ID . ':' . $token, 90, null, null, null, true);
|
||||||
|
|
||||||
$member->NumVisit++;
|
$member->NumVisit++;
|
||||||
$member->write();
|
$member->write();
|
||||||
|
Loading…
Reference in New Issue
Block a user