diff options
Diffstat (limited to 'lib/util.php')
| -rwxr-xr-x | lib/util.php | 29 |
1 files changed, 6 insertions, 23 deletions
diff --git a/lib/util.php b/lib/util.php index de89e339d99..cb81f0a948c 100755 --- a/lib/util.php +++ b/lib/util.php @@ -473,17 +473,6 @@ class OC_Util { } /** - * @brief Static lifespan (in seconds) when a request token expires. - * @see OC_Util::callRegister() - * @see OC_Util::isCallRegistered() - * @description - * Also required for the client side to compute the piont in time when to - * request a fresh token. The client will do so when nearly 97% of the - * timespan coded here has expired. - */ - public static $callLifespan = 3600; // 3600 secs = 1 hour - - /** * @brief Register an get/post call. Important to prevent CSRF attacks. * @todo Write howto: CSRF protection guide * @return $token Generated token. @@ -491,30 +480,24 @@ class OC_Util { * Creates a 'request token' (random) and stores it inside the session. * Ever subsequent (ajax) request must use such a valid token to succeed, * otherwise the request will be denied as a protection against CSRF. - * The tokens expire after a fixed lifespan. - * @see OC_Util::$callLifespan * @see OC_Util::isCallRegistered() */ public static function callRegister() { // Check if a token exists - if(!isset($_SESSION['requesttoken']) || time() >$_SESSION['requesttoken']['time']) { + if(!isset($_SESSION['requesttoken'])) { // No valid token found, generate a new one. - $requestTokenArray = array( - "requesttoken" => self::generate_random_bytes(20), - "time" => time()+self::$callLifespan, - ); - $_SESSION['requesttoken']=$requestTokenArray; + $requestToken = self::generate_random_bytes(20); + $_SESSION['requesttoken']=$requestToken; } else { // Valid token already exists, send it - $requestTokenArray = $_SESSION['requesttoken']; + $requestToken = $_SESSION['requesttoken']; } - return($requestTokenArray['requesttoken']); + return($requestToken); } /** * @brief Check an ajax get/post call if the request token is valid. * @return boolean False if request token is not set or is invalid. - * @see OC_Util::$callLifespan * @see OC_Util::callRegister() */ public static function isCallRegistered() { @@ -530,7 +513,7 @@ class OC_Util { } // Check if the token is valid - if(!isset($_SESSION['requesttoken']) || time() > $_SESSION['requesttoken']["time"]) { + if($token !== $_SESSION['requesttoken']) { // Not valid return false; } else { |