Changeset 4492


Ignore:
Timestamp:
Dec 14, 2009, 11:16:52 PM (14 years ago)
Author:
nikrou
Message:

Bug 1328 add function to check token

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/admin/include/functions.php

    r4401 r4492  
    2424include(PHPWG_ROOT_PATH.'admin/include/functions_metadata.php');
    2525
     26/**
     27 * check token comming from form posted or get params to prevent csrf attacks
     28 * if pwg_token is empty action doesn't require token
     29 * else pwg_token is compare to server token
     30 *
     31 * @return void access denied if token given is not equal to server token
     32 */
     33function check_token()
     34{
     35  global $conf;
     36
     37  $token = hash_hmac('md5', session_id(), $conf['secret_key']);
     38
     39  if (!empty($_POST['pwg_token']) && ($_POST['pwg_token'] != $token))
     40  {
     41    access_denied();   
     42  }
     43  elseif (!empty($_GET['pwg_token']) && ($_GET['pwg_token'] != $token))
     44  {
     45    access_denied();   
     46  }
     47}
    2648
    2749// The function delete_site deletes a site and call the function
Note: See TracChangeset for help on using the changeset viewer.