From 310f8f6a03ac10716978c34835e44edb72e5ec8e Mon Sep 17 00:00:00 2001 From: Ingo Schommer Date: Sun, 5 Dec 2010 00:47:12 +0000 Subject: [PATCH] BUGFIX Using RandomGenerator class in Member->logIn(), Member->autoLogin() and Member->generateAutologinHash() for better randomization of tokens. Increased VARCHAR length of 'RememberLoginToken' and 'AutoLoginHash' fields to 1024 characters to support longer token strings. (from r114504) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@114507 467b73ca-7a2a-4603-9d3b-597d59a354a9 --- security/Member.php | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/security/Member.php b/security/Member.php index 9d8c37f24..917a2a138 100755 --- a/security/Member.php +++ b/security/Member.php @@ -11,11 +11,11 @@ class Member extends DataObject { 'Surname' => 'Varchar', 'Email' => 'Varchar', 'Password' => 'Varchar(160)', - 'RememberLoginToken' => 'Varchar(50)', + 'RememberLoginToken' => 'Varchar(1024)', 'NumVisit' => 'Int', 'LastVisited' => 'SS_Datetime', 'Bounced' => 'Boolean', // Note: This does not seem to be used anywhere. - 'AutoLoginHash' => 'Varchar(30)', + 'AutoLoginHash' => 'Varchar(1024)', 'AutoLoginExpired' => 'SS_Datetime', // This is an arbitrary code pointing to a PasswordEncryptor instance, // not an actual encryption algorithm. @@ -327,7 +327,8 @@ class Member extends DataObject { $this->NumVisit++; if($remember) { - $token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($this->ID)); + $generator = new RandomGenerator(); + $token = $generator->generateHash('sha1'); $this->RememberLoginToken = $token; Cookie::set('alc_enc', $this->ID . ':' . $token, 90, null, null, null, true); } else { @@ -395,9 +396,9 @@ class Member extends DataObject { Session::set("loggedInAs", $member->ID); // This lets apache rules detect whether the user has logged in if(self::$login_marker_cookie) Cookie::set(self::$login_marker_cookie, 1, 0, null, null, false, true); - - $token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($member->ID)); - $member->RememberLoginToken = $token; + + $generator = new RandomGenerator(); + $member->RememberLoginToken = $generator->generateHash('sha1'); Cookie::set('alc_enc', $member->ID . ':' . $token, 90, null, null, false, true); $member->NumVisit++; @@ -442,8 +443,8 @@ class Member extends DataObject { function generateAutologinHash($lifetime = 2) { do { - $hash = substr(base_convert(md5(uniqid(mt_rand(), true)), 16, 36), - 0, 30); + $generator = new RandomGenerator(); + $hash = $generator->generateHash('sha1'); } while(DataObject::get_one('Member', "\"AutoLoginHash\" = '$hash'")); $this->AutoLoginHash = $hash;