fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-09 11:44:10 +09:00
Code Issues Projects Releases Packages Wiki Activity

자동 로그인 key를 예측하기 어렵도록 변경

Browse source
This commit is contained in:
Kijin Sung 2015-03-30 15:30:09 +09:00
parent f7b3da6f0e
commit dec9251891
1 changed files with 8 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

11
modules/member/member.controller.php
View file

@ -1650,9 +1650,10 @@ class memberController extends member
$do_auto_login = false;
// Compare key values based on the information
$key = md5($user_id . $password . $_SERVER['HTTP_USER_AGENT']);
$check_key = strtolower($user_id).$password.$_SERVER['HTTP_USER_AGENT'];
$check_key = substr(hash_hmac('sha256', $check_key, substr($args->autologin_key, 0, 32)), 0, 32);
if($key == $args->autologin_key)
if($check_key === substr($args->autologin_key, 32))
{
// Check change_password_date
$oModuleModel = getModel('module');
@ -1837,8 +1838,12 @@ class memberController extends member
if($keep_signed)
{
// Key generate for auto login
$oPassword = new Password();
$random_key = $oPassword->createSecureSalt(32, 'hex');
$extra_key = strtolower($user_id).$this->memberInfo->password.$_SERVER['HTTP_USER_AGENT'];
$extra_key = substr(hash_hmac('sha256', $extra_key, $random_key), 0, 32);
$autologin_args = new stdClass;
$autologin_args->autologin_key = md5(strtolower($user_id).$this->memberInfo->password.$_SERVER['HTTP_USER_AGENT']);
$autologin_args->autologin_key = $random_key.$extra_key;
$autologin_args->member_srl = $this->memberInfo->member_srl;
executeQuery('member.deleteAutologin', $autologin_args);
$autologin_output = executeQuery('member.insertAutologin', $autologin_args);