Fix autologin token, form tokens failed cause session was not set

2019-02-20 23:06:13 +01:00 · 2019-02-20 23:06:13 +01:00 · f948279583
commit f948279583
parent c737565c13
1 changed files with 5 additions and 2 deletions
--- a/include/functions_config.inc.php
+++ b/include/functions_config.inc.php
@ -392,8 +392,9 @@ function serendipity_login($use_external = true) {
    } elseif (isset($serendipity['COOKIE']['author_username'])) {
        $user = $serendipity['COOKIE']['author_username'];
        $valid_logintoken = serendipity_checkAutologin($user);
-
        if ($valid_logintoken === true) {
+            // if we do not tie down the session gere it will be recreated on every page reload, which will fuck op the form token system. That's why we need to load all data that makes the session stick. That's why we call setAuthorToken here.
+            serendipity_setAuthorToken();
            serendipity_load_userdata($user);
            return true;
        } else {
@ -600,7 +601,7 @@ function serendipity_authenticate_author($username = '', $password = '', $is_has
                    }
                }

-                // This code is only reached, if the password before is valid.
+                // This code is only reached if the password before is valid.
                if ($is_valid_user) {
                    if ($debug) fwrite($fp, date('Y-m-d H:i') . ' [sid:' . session_id() . '] - Success.' . "\n");
                    serendipity_setCookie('old_session', session_id(), false);
@ -2051,11 +2052,13 @@ function serendipity_checkFormToken($output = true) {
        if ($output) echo serendipity_reportXSRF('token', false);
        return false;
    }
+
    if ($token != md5(session_id()) &&
        $token != md5($serendipity['COOKIE']['old_session'])) {
        if ($output) echo serendipity_reportXSRF('token', false);
        return false;
    }
+
    return true;
 }