diff options
| -rw-r--r-- | web/Users.php | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/web/Users.php b/web/Users.php index c794537..37d7e02 100644 --- a/web/Users.php +++ b/web/Users.php @@ -108,7 +108,9 @@ class User { function setOTPCookie() { $time = floor(time() / (3600 * 24) ); // get day number - $cookie = $time.":".sha1($this->getUsername().":".$time.":".$this->getSecret()); + //about using the user agent: It's easy to fake it, but it increases the barrier for stealing and reusing cookies nevertheless + // and it doesn't do any harm (except that it's invalid after a browser upgrade, but that may be even intented) + $cookie = $time.":".hash_hmac("sha1",$this->getUsername().":".$time.":". $_SERVER['HTTP_USER_AGENT'],$this->getSecret()); setcookie ( "otp", $cookie, time() + (30 * 24 * 3600), null,null,null,true ); } @@ -119,7 +121,7 @@ class User { if (isset($_COOKIE['otp'])) { list( $otpday,$hash) = explode(":",$_COOKIE['otp']); - if ( $otpday >= $time - $daysUntilInvalid && $hash == sha1($this->getUsername().":".$otpday .":" . $this->getSecret()) + if ( $otpday >= $time - $daysUntilInvalid && $hash == hash_hmac('sha1',$this->getUsername().":".$otpday .":". $_SERVER['HTTP_USER_AGENT'] , $this->getSecret()) ) { return true; } |