tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

BUGFIX Using RandomGenerator class in Member->logIn(), Member->autoLogin() and Member->generateAutologinHash() for better randomization of tokens. Increased VARCHAR length of 'RememberLoginToken' and 'AutoLoginHash' fields to 1024 characters to support longer token strings. (from r114504) (from r114507)

Browse Source 
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@114509 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer 2010-12-05 00:58:16 +00:00 committed by Sam Minnee
parent 0fb19f2884
commit a7c8de9bdf
1 changed files with 9 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
security/Member.php
View File

@ -11,11 +11,11 @@ class Member extends DataObject {
'Surname' => 'Varchar', 'Surname' => 'Varchar',
'Email' => 'Varchar', 'Email' => 'Varchar',
'Password' => 'Varchar(64)', // support for up to SHA256! 'Password' => 'Varchar(64)', // support for up to SHA256!
'RememberLoginToken' => 'Varchar(50)', 'RememberLoginToken' => 'Varchar(128)',
'NumVisit' => 'Int', 'NumVisit' => 'Int',
'LastVisited' => 'SSDatetime', 'LastVisited' => 'SSDatetime',
'Bounced' => 'Boolean', // Note: This does not seem to be used anywhere. 'Bounced' => 'Boolean', // Note: This does not seem to be used anywhere.
'AutoLoginHash' => 'Varchar(30)', 'AutoLoginHash' => 'Varchar(128)',
'AutoLoginExpired' => 'SSDatetime', 'AutoLoginExpired' => 'SSDatetime',
'PasswordEncryption' => "Enum('none', 'none')", 'PasswordEncryption' => "Enum('none', 'none')",
'Salt' => 'Varchar(50)', 'Salt' => 'Varchar(50)',
@ -213,7 +213,8 @@ class Member extends DataObject {
$this->NumVisit++; $this->NumVisit++;
if($remember) { if($remember) {
$token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($this->ID)); $generator = new RandomGenerator();
$token = $generator->generateHash('sha1');
$this->RememberLoginToken = $token; $this->RememberLoginToken = $token;
Cookie::set('alc_enc', $this->ID . ':' . $token); Cookie::set('alc_enc', $this->ID . ':' . $token);
} else { } else {
@ -278,9 +279,9 @@ class Member extends DataObject {
if($member) { if($member) {
self::session_regenerate_id(); self::session_regenerate_id();
Session::set("loggedInAs", $member->ID); Session::set("loggedInAs", $member->ID);
$token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($member->ID)); $generator = new RandomGenerator();
$member->RememberLoginToken = $token; $member->RememberLoginToken = $generator->generateHash('sha1');
Cookie::set('alc_enc', $member->ID . ':' . $token); Cookie::set('alc_enc', $member->ID . ':' . $token);
$member->NumVisit++; $member->NumVisit++;
@ -324,8 +325,8 @@ class Member extends DataObject {
function generateAutologinHash($lifetime = 2) { function generateAutologinHash($lifetime = 2) {
do { do {
$hash = substr(base_convert(md5(uniqid(mt_rand(), true)), 16, 36), $generator = new RandomGenerator();
0, 30); $hash = $generator->generateHash('sha1');
} while(DataObject::get_one('Member', "`AutoLoginHash` = '$hash'")); } while(DataObject::get_one('Member', "`AutoLoginHash` = '$hash'"));
$this->AutoLoginHash = $hash; $this->AutoLoginHash = $hash;