RanchiMall/php-mpos
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

improved bad csrf token error message

Browse Source 
cleaned up wording of config
improved leadtime defaults in getCSRFToken
This commit is contained in:
xisi 2014-01-16 00:57:02 -05:00
parent 764be9f0b7
commit 8736123df2
3 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
public/include/classes/user.class.php
View File

@ -801,8 +801,10 @@ class User extends Base {
$month = $data[0]; $day = $data[1]; $year = $data[2];
$hour = $data[3]; $minute = $data[4]; $second = $data[5];
$seed = $this->salty;
// X second lead time on each minute
if ($minute == 59 && $second > (60-$this->config['csrf']['options']['leadtime'])) {
$lead = $this->config['csrf']['options']['leadtime'];
if ($lead >= 11) { $lead = 10; }
if ($lead <= 0) { $lead = 3; }
if ($minute == 59 && $second > (60-$lead)) {
$minute = 0;
$fhour = ($hour == 23) ? $hour = 0 : $hour+=1;
}

2
public/include/config/global.inc.dist.php
View File

@ -134,7 +134,7 @@ $config['twofactor']['options']['changepw'] = true;
*
* Options:
* enabled = Whether or not we will generate/check for valid CSRF tokens
* leadtime = 1 minute + leadtime seconds for reseeding tokens
* leadtime = Length of time in seconds to give as leeway, 1-10s
* login = Use and check CSRF tokens for the login forms
*
* Default:

3
public/include/pages/login.inc.php
View File

@ -25,7 +25,8 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserId($_POST
$_SESSION['POPUP'][] = array('CONTENT' => 'Unable to login: '. $user->getError(), 'TYPE' => 'errormsg');
}
} else {
$_SESSION['POPUP'][] = array('CONTENT' => 'Unable to login: Token expired', 'TYPE' => 'errormsg');
$img = "<img src='site_assets/mpos/images/questionmark.png' title='Tokens are used to help us mitigate attacks; Simply login again to continue' width='20px' height='20px'>";
$_SESSION['POPUP'][] = array('CONTENT' => "Login token expired, please try again $img", 'TYPE' => 'info');
}
} else if (@$_POST['username'] && @$_POST['password']) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Unable to login: '. $user->getError(), 'TYPE' => 'errormsg');