Roundcubemail devel
parent: 7d9a29cb | patch | commit | ignore whitespace
Aleksander Machniak
2015-09-28 3d9798da1f9d130abffad3cb429ac3be677791c5 
Make brute force attacks harder by re-generating security token on every failed login (#1490549)

Or more precissely use the same we did in git-master, i.e. do not base the token on
session ID, but use random bytes instead.
2 files modified
14 ■■■■ changed files
CHANGELOG 1 ●●●● patch | view | raw | blame | history
program/lib/Roundcube/rcube.php 13 ●●●● patch | view | raw | blame | history 
 CHANGELOG


@@ -2,6 +2,7 @@


===========================




- Fix so Installer requires PHP5


- Make brute force attacks harder by re-generating security token on every failed login (#1490549)




RELEASE 1.1.3


-------------




 program/lib/Roundcube/rcube.php


@@ -1027,15 +1027,14 @@


     */


    public function get_request_token()


    {


        $sess_id = $_COOKIE[ini_get('session.name')];


        if (!$sess_id) {


            $sess_id = session_id();


        if (empty($_SESSION['request_token'])) {


            $plugin = $this->plugins->exec_hook('request_token', array(


                'value' => rcube_utils::random_bytes(32)));




            $_SESSION['request_token'] = $plugin['value'];


        }




        $plugin = $this->plugins->exec_hook('request_token', array(


            'value' => md5('RT' . $this->get_user_id() . $this->config->get('des_key') . $sess_id)));




        return $plugin['value'];


        return $_SESSION['request_token'];


    }