diff options
| author | Craig Andrews <candrews@integralblue.com> | 2010-09-05 17:35:43 -0400 |
|---|---|---|
| committer | Craig Andrews <candrews@integralblue.com> | 2010-09-07 13:45:52 -0400 |
| commit | 3dd734b2c3ea49c55467cfbfd4b3a5fb38456e87 (patch) | |
| tree | 330d8ebb3b178d9705c9669e7b7074206fee14f9 | |
| parent | 86a702953a8082b062e48c8f6eea60a7f749ef12 (diff) | |
Remove CSRF protection from username/password login and from OpenID login.
| -rw-r--r-- | actions/login.php | 20 | ||||
| -rw-r--r-- | plugins/OpenID/openidlogin.php | 9 |
2 files changed, 1 insertions, 28 deletions
diff --git a/actions/login.php b/actions/login.php index d3e4312f7..07c601a4d 100644 --- a/actions/login.php +++ b/actions/login.php @@ -118,27 +118,10 @@ class LoginAction extends Action * @return void */ - function checkLogin($user_id=null, $token=null) + function checkLogin($user_id=null) { // XXX: login throttle - // CSRF protection - token set in NoticeForm - $token = $this->trimmed('token'); - if (!$token || $token != common_session_token()) { - $st = common_session_token(); - if (empty($token)) { - common_log(LOG_WARNING, 'No token provided by client.'); - } else if (empty($st)) { - common_log(LOG_WARNING, 'No session token stored.'); - } else { - common_log(LOG_WARNING, 'Token = ' . $token . ' and session token = ' . $st); - } - - $this->clientError(_('There was a problem with your session token. '. - 'Try again, please.')); - return; - } - $nickname = $this->trimmed('nickname'); $password = $this->arg('password'); @@ -261,7 +244,6 @@ class LoginAction extends Action $this->elementEnd('li'); $this->elementEnd('ul'); $this->submit('submit', _('Login')); - $this->hidden('token', common_session_token()); $this->elementEnd('fieldset'); $this->elementEnd('form'); $this->elementStart('p'); diff --git a/plugins/OpenID/openidlogin.php b/plugins/OpenID/openidlogin.php index 20d6e070c..f3a5c8847 100644 --- a/plugins/OpenID/openidlogin.php +++ b/plugins/OpenID/openidlogin.php @@ -42,14 +42,6 @@ class OpenidloginAction extends Action oid_assert_allowed($openid_url); - # CSRF protection - $token = $this->trimmed('token'); - if (!$token || $token != common_session_token()) { - // TRANS: Message given when there is a problem with the user's session token. - $this->showForm(_m('There was a problem with your session token. Try again, please.'), $openid_url); - return; - } - $rememberme = $this->boolean('rememberme'); common_ensure_session(); @@ -136,7 +128,6 @@ class OpenidloginAction extends Action $this->elementStart('fieldset'); // TRANS: OpenID plugin logon form legend. $this->element('legend', null, _m('OpenID login')); - $this->hidden('token', common_session_token()); $this->elementStart('ul', 'form_data'); $this->elementStart('li'); |