function logon_perform() { // Check to see if the user is logging in as a guest or a normal user. if (isset($_POST['guest_logon'])) { // Check the Guest account is enabled. if (!user_guest_enabled()) { return false; } // Initialise Guest user session. session::start(0); // Generate new CSRF token session::refresh_csrf_token(); // Update the visitor log session::update_visitor_log(0, true); // Success return true; } else { if (isset($_POST['user_logon']) && isset($_POST['user_password'])) { // Extract the submitted username $user_logon = $_POST['user_logon']; // Extract the submitted password $user_password = $_POST['user_password']; // Try and login the user. if (($uid = user_logon($user_logon, $user_password)) !== false) { // Initialise a user session. session::start($uid); // Generate new CSRF token session::refresh_csrf_token(); // Update User's last forum visit forum_update_last_visit($uid); // Update the visitor log session::update_visitor_log($uid, true); // Check if we should save a token to allow auto logon, if (isset($_POST['user_remember']) && $_POST['user_remember'] == 'Y') { // Get a token for the entered password. $user_token = user_generate_token($uid); // Set a cookie with the logon and the token. html_set_cookie('user_logon', $user_logon, time() + YEAR_IN_SECONDS); html_set_cookie('user_token', $user_token, time() + YEAR_IN_SECONDS); } else { // Remove the cookie. html_set_cookie('user_logon', '', time() - YEAR_IN_SECONDS); html_set_cookie('user_token', '', time() - YEAR_IN_SECONDS); } // Success return true; } } } // Failed return false; }
function form_check_csrf_token() { if (!isset($_SERVER['REQUEST_METHOD']) || mb_strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST') { return; } if (in_array(basename($_SERVER['PHP_SELF']), get_csrf_exempt_files()) || defined('BH_DISABLE_CSRF')) { return; } if (!($token_name = forum_get_setting('csrf_token_name'))) { html_draw_error(gettext('Sorry, you do not have access to this page.')); } if (!isset($_POST[$token_name]) || $_POST[$token_name] != session::get_csrf_token()) { unset($_POST[$token_name]); session::refresh_csrf_token(); html_draw_error(gettext('Sorry, you do not have access to this page.')); } unset($_POST[$token_name]); }
public static function get_csrf_token() { if (!isset($_SESSION['CSRF_TOKEN']) || !is_string($_SESSION['CSRF_TOKEN'])) { session::refresh_csrf_token(); } return $_SESSION['CSRF_TOKEN']; }