Make brute force attacks harder by re-generating security token on every failed login (#1490549)
Or more precissely use the same we did in git-master, i.e. do not base the token on
session ID, but use random bytes instead.
| | |
| | | =========================== |
| | | |
| | | - Fix so Installer requires PHP5 |
| | | - Make brute force attacks harder by re-generating security token on every failed login (#1490549) |
| | | |
| | | RELEASE 1.1.3 |
| | | ------------- |
| | |
| | | */ |
| | | public function get_request_token() |
| | | { |
| | | $sess_id = $_COOKIE[ini_get('session.name')]; |
| | | if (!$sess_id) { |
| | | $sess_id = session_id(); |
| | | if (empty($_SESSION['request_token'])) { |
| | | $plugin = $this->plugins->exec_hook('request_token', array( |
| | | 'value' => rcube_utils::random_bytes(32))); |
| | | |
| | | $_SESSION['request_token'] = $plugin['value']; |
| | | } |
| | | |
| | | $plugin = $this->plugins->exec_hook('request_token', array( |
| | | 'value' => md5('RT' . $this->get_user_id() . $this->config->get('des_key') . $sess_id))); |
| | | |
| | | return $plugin['value']; |
| | | return $_SESSION['request_token']; |
| | | } |
| | | |
| | | |