From 33f5b5ef1ab49a21232e8b45c2051dde8484ff07 Mon Sep 17 00:00:00 2001 From: Shish Date: Sat, 31 Aug 2024 21:52:31 +0100 Subject: [PATCH] [core] use salted sha3 instead of md5 for session tokens --- core/user.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/core/user.php b/core/user.php index dec59c4f..bb26bc9e 100644 --- a/core/user.php +++ b/core/user.php @@ -93,6 +93,11 @@ class User if ($user_by_name->get_session_id() === $session) { $user = $user_by_name; } + // For 2.12, check old session IDs and convert to new IDs + if (md5($user_by_name->passhash . get_session_ip($config)) === $session) { + $user = $user_by_name; + $user->set_login_cookie(); + } $cache->set("user-session-obj:$name-$session", $user, 600); } return $user; @@ -265,9 +270,7 @@ class User public function get_session_id(): string { global $config; - $addr = get_session_ip($config); - $hash = $this->passhash; - return md5($hash . $addr); + return hash("sha3-256", $this->passhash . get_session_ip($config) . SECRET); } public function set_login_cookie(): void