Fork me on GitHub

Changes for #1043

Description changed by adaur (2015-07-06 20:06:50)

 1:  1:
 I am not sure that we are completely safe. I am not sure that we are completely safe.
  
 In include/functions.php: In include/functions.php:
  
-[code] if (forum_hmac($cookie['user_id'].'|'.$cookie['expiration_time'], $cookie_seed.'_cookie_hash') != $cookie['cookie_hash'])[/code]+[code] // If the cookie has been tampered with  
 + if (forum_hmac($cookie['user_id'].'|'.$cookie['expiration_time'], $cookie_seed.'_cookie_hash') != $cookie['cookie_hash'])[/code] 
 +[code]if (!isset($pun_user['id']) || forum_hmac($pun_user['password'], $cookie_seed.'_password_hash') !== $cookie['password_hash'])[/code]
  
 We only use a "!=" to compare hashes. Shouldn't we use at least "!==" or a hash_equals backport ? We only use a "!=" to compare hashes. Shouldn't we use at least "!==" or a hash_equals backport ?