fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-08 03:01:43 +09:00
Code Issues Projects Releases Packages Wiki Activity

Increase security of autologin keys

Browse source
This commit is contained in:
Kijin Sung 2017-02-27 15:55:04 +09:00
parent fc63b2e9b8
commit d074e5e9b5
1 changed files with 10 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

13
modules/member/member.controller.php
View file

@ -1719,8 +1719,15 @@ class memberController extends member
$output->data = array_first($output->data); $output->data = array_first($output->data);
} }
// Hash the security key, but allow raw keys for a limited time.
$valid_security_keys = array(base64_encode(hash_hmac('sha256', $security_key, $autologin_key, true)));
if (time() < 1489503600)
{
$valid_security_keys[] = $security_key;
}
// Check the security key. // Check the security key.
if ($output->data->security_key !== $security_key || !$output->data->member_srl) if (!in_array($output->data->security_key, $valid_security_keys) || !$output->data->member_srl)
{ {
$args = new stdClass; $args = new stdClass;
$args->autologin_key = $autologin_key; $args->autologin_key = $autologin_key;
@ -1732,7 +1739,7 @@ class memberController extends member
$new_security_key = Rhymix\Framework\Security::getRandom(24, 'alnum'); $new_security_key = Rhymix\Framework\Security::getRandom(24, 'alnum');
$args = new stdClass; $args = new stdClass;
$args->autologin_key = $autologin_key; $args->autologin_key = $autologin_key;
$args->security_key = $new_security_key; $args->security_key = base64_encode(hash_hmac('sha256', $security_key, $autologin_key, true));
$update_output = executeQuery('member.updateAutologin', $args); $update_output = executeQuery('member.updateAutologin', $args);
if ($update_output->toBool()) if ($update_output->toBool())
{ {
@ -1905,7 +1912,7 @@ class memberController extends member
$random_key = Rhymix\Framework\Security::getRandom(48, 'alnum'); $random_key = Rhymix\Framework\Security::getRandom(48, 'alnum');
$autologin_args = new stdClass; $autologin_args = new stdClass;
$autologin_args->autologin_key = substr($random_key, 0, 24); $autologin_args->autologin_key = substr($random_key, 0, 24);
$autologin_args->security_key = substr($random_key, 24, 24); $autologin_args->security_key = base64_encode(hash_hmac('sha256', substr($random_key, 24, 24), $autologin_key, true));
$autologin_args->member_srl = $this->memberInfo->member_srl; $autologin_args->member_srl = $this->memberInfo->member_srl;
$autologin_args->user_agent = json_encode(Rhymix\Framework\UA::getBrowserInfo()); $autologin_args->user_agent = json_encode(Rhymix\Framework\UA::getBrowserInfo());
$autologin_output = executeQuery('member.insertAutologin', $autologin_args); $autologin_output = executeQuery('member.insertAutologin', $autologin_args);