07-15-2017, 04:45 PM
argh i see, i'll give that ago, defo gonna look at the token class a little closer, i noticed its using
md5( uniqid() ) so I've changed the class a little,
currently it generates: `<input type="hidden" name="csrf" value="89f378ee3aa6812ace51c50ce5f24e8b">'
but if we change class to:
`class Token {
public static function generate(){
if (function_exists('mcrypt_create_iv')) { //checks if exists as deprecated from php7.1.0
return Session::put(Config::get('session/token_name'), bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)) );
} else {
return Session::put(Config::get('session/token_name'), bin2hex(openssl_random_pseudo_bytes(32)) );
}
}
public static function check($token){
$tokenName = Config::get('session/token_name');
if (Session::exists($tokenName) && $token === Session::get($tokenName)) {
Session::delete($tokenName);
return true;
}
return false;
}
}
'
it generates:
which is far less predictable than uniqid()
md5( uniqid() ) so I've changed the class a little,
currently it generates: `<input type="hidden" name="csrf" value="89f378ee3aa6812ace51c50ce5f24e8b">'
but if we change class to:
`class Token {
public static function generate(){
if (function_exists('mcrypt_create_iv')) { //checks if exists as deprecated from php7.1.0
return Session::put(Config::get('session/token_name'), bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)) );
} else {
return Session::put(Config::get('session/token_name'), bin2hex(openssl_random_pseudo_bytes(32)) );
}
}
public static function check($token){
$tokenName = Config::get('session/token_name');
if (Session::exists($tokenName) && $token === Session::get($tokenName)) {
Session::delete($tokenName);
return true;
}
return false;
}
}
'
it generates:
Code:
<input type="hidden" name="csrf" value="d400c97e10082978da1541ba27b3f4501d796116a2d466e49740038d30d56883">which is far less predictable than uniqid()