summaryrefslogtreecommitdiffstats
path: root/system/libraries
diff options
context:
space:
mode:
authorFlorian Pritz <bluewind@xinu.at>2014-08-30 14:19:29 +0200
committerFlorian Pritz <bluewind@xinu.at>2014-08-30 14:19:29 +0200
commit7d02c59da55224bb9ce9aaea470ba237a4100a34 (patch)
treec84fd127cf7a4739988ade0b398cfaa7f75da2fe /system/libraries
parent6ac5e9af6770b4f9cb1349aa562edd4b8e84ce32 (diff)
parent37df6fa88ec63bffa5545bdc3b3c7c3801c9b635 (diff)
Merge tag '2.2.0' into working
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Diffstat (limited to 'system/libraries')
-rw-r--r--system/libraries/Session.php15
1 files changed, 8 insertions, 7 deletions
diff --git a/system/libraries/Session.php b/system/libraries/Session.php
index 64c06f4f1..5f4f60547 100644
--- a/system/libraries/Session.php
+++ b/system/libraries/Session.php
@@ -145,7 +145,9 @@ class CI_Session {
}
// HMAC authentication
- if (($len = strlen($session) - 40) <= 0)
+ $len = strlen($session) - 40;
+
+ if ($len <= 0)
{
log_message('error', 'Session: The session cookie was not signed.');
return FALSE;
@@ -158,9 +160,11 @@ class CI_Session {
// Time-attack-safe comparison
$hmac_check = hash_hmac('sha1', $session, $this->encryption_key);
$diff = 0;
+
for ($i = 0; $i < 40; $i++)
{
- $diff |= ord($hmac[$i]) ^ ord($hmac_check[$i]);
+ $xor = ord($hmac[$i]) ^ ord($hmac_check[$i]);
+ $diff |= $xor;
}
if ($diff !== 0)
@@ -668,11 +672,8 @@ class CI_Session {
{
$cookie_data = $this->CI->encrypt->encode($cookie_data);
}
- else
- {
- // if encryption is not used, we provide an md5 hash to prevent userside tampering
- $cookie_data .= hash_hmac('sha1', $cookie_data, $this->encryption_key);
- }
+
+ $cookie_data .= hash_hmac('sha1', $cookie_data, $this->encryption_key);
$expire = ($this->sess_expire_on_close === TRUE) ? 0 : $this->sess_expiration + time();