[core] use salted sha3 instead of md5 for session tokens
This commit is contained in:
Shish
Shish
parent
c83401d43b
commit
33f5b5ef1a
1 changed files with 6 additions and 3 deletions
|
|
@ -93,6 +93,11 @@ class User
|
||||||
if ($user_by_name->get_session_id() === $session) {
|
if ($user_by_name->get_session_id() === $session) {
|
||||||
$user = $user_by_name;
|
$user = $user_by_name;
|
||||||
}
|
}
|
||||||
|
// For 2.12, check old session IDs and convert to new IDs
|
||||||
|
if (md5($user_by_name->passhash . get_session_ip($config)) === $session) {
|
||||||
|
$user = $user_by_name;
|
||||||
|
$user->set_login_cookie();
|
||||||
|
}
|
||||||
$cache->set("user-session-obj:$name-$session", $user, 600);
|
$cache->set("user-session-obj:$name-$session", $user, 600);
|
||||||
}
|
}
|
||||||
return $user;
|
return $user;
|
||||||
|
|
@ -265,9 +270,7 @@ class User
|
||||||
public function get_session_id(): string
|
public function get_session_id(): string
|
||||||
{
|
{
|
||||||
global $config;
|
global $config;
|
||||||
$addr = get_session_ip($config);
|
return hash("sha3-256", $this->passhash . get_session_ip($config) . SECRET);
|
||||||
$hash = $this->passhash;
|
|
||||||
return md5($hash . $addr);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public function set_login_cookie(): void
|
public function set_login_cookie(): void
|
||||||
|
|
|
||||||
Reference in a new issue