From 25be923e821438abe161cf6fac734cd60dabecfa Mon Sep 17 00:00:00 2001
From: marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544>
Date: Mon, 1 Sep 2008 09:13:16 +0000
Subject: Additional per-session random token, additional randomness protection
 against CSRF. Report problems.

git-svn-id: https://code.elgg.org/elgg/trunk@2048 36083f99-b078-4883-b0ff-0f9b5a30f544
---
 engine/lib/actions.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'engine/lib/actions.php')

diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index 76913f2b4..a78072f31 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -177,8 +177,11 @@
         	// Get user agent
         	$ua = $_SERVER['HTTP_USER_AGENT'];
         	
+        	// Session token
+        	$st = $_SESSION['__elgg_session'];
+        	
         	if (($site_secret) && ($session_id))
-        		return md5($site_secret.$timestamp.$session_id.$ua);
+        		return md5($site_secret.$timestamp.$session_id.$ua.$st);
         	
         	return false;
         }
-- 
cgit v1.2.3