www/adiumxtras.com 57:a3b9cfa49b4d: Set a cookie with a random t...

[commits at adium.im]

details:	http://hg.adium.im/www/adiumxtras.com/rev/a3b9cfa49b4d
revision:	57:a3b9cfa49b4d
branch:		adiumxtras.com
author:		Thijs Alkemade <me at thijsalkema.de>
date:		Fri Feb 27 13:57:54 2015 +0100

Set a cookie with a random token and a HMAC signature, instead of md5(pass).

diffs (44 lines):

diff -r 533cb44de6a6 -r a3b9cfa49b4d include.php
--- a/include.php	Fri Feb 27 13:18:23 2015 +0100
+++ b/include.php	Fri Feb 27 13:57:54 2015 +0100
@@ -121,8 +121,19 @@
 
 function currentUID() {
 	global $CACHE;
-	if (!isset($CACHE['currentUID']))
-		$CACHE['currentUID'] = validUser($_COOKIE['xtras_user'], $_COOKIE['xtras_pass']);
+	if (!isset($CACHE['currentUID'])) {
+		list ($user, $token, $mac) = explode(':', $_COOKIE['xtras_pass']);
+
+		if ($mac !== hash_hmac('sha256', $user . ':' . $token, COOKIE_SECRET_KEY)) {
+			return false;
+		}
+
+		if (base64_decode($user) !== $_COOKIE['xtras_user']) {
+			return false;
+		}
+
+		$CACHE['currentUID'] = userInfo($_COOKIE['xtras_user']);
+	}
 	return $CACHE['currentUID'];
 }
 
diff -r 533cb44de6a6 -r a3b9cfa49b4d users.php
--- a/users.php	Fri Feb 27 13:18:23 2015 +0100
+++ b/users.php	Fri Feb 27 13:57:54 2015 +0100
@@ -113,8 +113,14 @@
 					// Allow www. and non-www. to be logged in at the same time.
 					$cookiePath = "/";
 					$cookieDomain = ".adiumxtras.com";
+
+					$token = sha1(openssl_random_pseudo_bytes(32));
+					$cookie = base64_encode($_POST['login_username']) . ':' . $token;
+
+					$mac = hash_hmac('sha256', $cookie, COOKIE_SECRET_KEY);
+
 					setcookie("xtras_user", $_POST['login_username'], $cookieDuration, $cookiePath, $cookieDomain);
-					setcookie("xtras_pass", md5($_POST['login_password']), $cookieDuration, $cookiePath, $cookieDomain);
+					setcookie("xtras_pass", $cookie . ':' . $mac, $cookieDuration, $cookiePath, $cookieDomain);
 					if ($_POST['refer'])
 						header(sprintf("Location: %s", $_POST['refer']));
 					else