diff --git a/public/include/classes/csrftoken.class.php b/public/include/classes/csrftoken.class.php index 380b78cc..b0e59204 100644 --- a/public/include/classes/csrftoken.class.php +++ b/public/include/classes/csrftoken.class.php @@ -18,7 +18,7 @@ class CSRFToken Extends Base { $month = $data[0]; $day = $data[1]; $year = $data[2]; $hour = $data[3]; $minute = $data[4]; $second = $data[5]; $salt1 = $this->salt; $salt2 = $this->salty; $seed = $salt1; - $lead = $this->config['csrf']['options']['leadtime']; + $lead = $this->config['csrf']['leadtime']; if ($lead >= 11) { $lead = 10; } if ($lead <= 0) { $lead = 3; } if ($minute == 59 && $second > (60-$lead)) { diff --git a/public/include/config/global.inc.dist.php b/public/include/config/global.inc.dist.php index c4dcd220..796c54af 100644 --- a/public/include/config/global.inc.dist.php +++ b/public/include/config/global.inc.dist.php @@ -136,20 +136,21 @@ $config['twofactor']['options']['changepw'] = true; * Options: * enabled = Whether or not we will generate/check for valid CSRF tokens * sitewide = Require a valid CSRF token for most* forms, does not override form specific settings - * * contact, account edit, workers, notifications, invites, registration - * leadtime = Length of time in seconds to give as leeway between minute switches + * * contact, account edit, workers, notifications, invites, registration, passsword resets * login = Use and check login-specific CSRF token + * leadtime = Length of time in seconds to give as leeway between minute switches + * * Don't change this unless you know why you're changing it * * Default: * enabled = true * sitewide = true - * leadtime = 3 * login = true + * leadtime = 3 */ $config['csrf']['enabled'] = true; $config['csrf']['options']['sitewide'] = true; -$config['csrf']['options']['leadtime'] = 3; $config['csrf']['forms']['login'] = true; +$config['csrf']['leadtime'] = 3; /** * Lock account after maximum failed logins