diff options
| author | Christian Stocker <me@chregu.tv> | 2011-02-22 06:38:50 +0100 |
|---|---|---|
| committer | Christian Stocker <me@chregu.tv> | 2011-02-22 06:38:50 +0100 |
| commit | a1e43c5aeb09bfbdd594572f42cb6d044d150e62 (patch) | |
| tree | 34404f81be9e008196395944d0ecc6ec123c6b00 | |
| parent | deb9eb105fbd7705dee5d24826314c944a406a5e (diff) | |
| download | GoogleAuthenticator.php-a1e43c5aeb09bfbdd594572f42cb6d044d150e62.zip GoogleAuthenticator.php-a1e43c5aeb09bfbdd594572f42cb6d044d150e62.tar.gz GoogleAuthenticator.php-a1e43c5aeb09bfbdd594572f42cb6d044d150e62.tar.bz2 | |
use hash_hmac instead of sha1
include user_agent in the otp cookie hash
| -rw-r--r-- | web/Users.php | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/web/Users.php b/web/Users.php index c794537..37d7e02 100644 --- a/web/Users.php +++ b/web/Users.php @@ -108,7 +108,9 @@ class User { function setOTPCookie() { $time = floor(time() / (3600 * 24) ); // get day number - $cookie = $time.":".sha1($this->getUsername().":".$time.":".$this->getSecret()); + //about using the user agent: It's easy to fake it, but it increases the barrier for stealing and reusing cookies nevertheless + // and it doesn't do any harm (except that it's invalid after a browser upgrade, but that may be even intented) + $cookie = $time.":".hash_hmac("sha1",$this->getUsername().":".$time.":". $_SERVER['HTTP_USER_AGENT'],$this->getSecret()); setcookie ( "otp", $cookie, time() + (30 * 24 * 3600), null,null,null,true ); } @@ -119,7 +121,7 @@ class User { if (isset($_COOKIE['otp'])) { list( $otpday,$hash) = explode(":",$_COOKIE['otp']); - if ( $otpday >= $time - $daysUntilInvalid && $hash == sha1($this->getUsername().":".$otpday .":" . $this->getSecret()) + if ( $otpday >= $time - $daysUntilInvalid && $hash == hash_hmac('sha1',$this->getUsername().":".$otpday .":". $_SERVER['HTTP_USER_AGENT'] , $this->getSecret()) ) { return true; } |