kevinowino869/mitrobill
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added more security flags to prevent XSS attack from cookie.

Browse Source
This commit is contained in:
Focuslinkstech 2024-10-09 15:56:47 +01:00 committed by Ibnu Maksum
parent c08c069479
commit 96365eef2a
No known key found for this signature in database
GPG Key ID: 7FC82848810579E5
4 changed files with 45 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
init.php
View File

@ -368,3 +368,34 @@ function isTableExist($table)
}
}
function generateCsrfToken($expiryTime = 3600)
{
$token = bin2hex(random_bytes(32));
$_SESSION['csrf_token'] = $token;
$_SESSION['csrf_token_time'] = time();
$_SESSION['csrf_token_expiry'] = $expiryTime;
return $token;
}
function validateCsrfToken($token)
{
if (!isset($_SESSION['csrf_token'])) {
_log(Lang::T("CSRF token not set in session."));
return false;
}
if (is_null($token)) {
_log(Lang::T("Token passed is null."));
return false;
}
$tokenAge = time() - $_SESSION['csrf_token_time'];
if ($tokenAge > $_SESSION['csrf_token_expiry']) {
_log(Lang::T("CSRF token has expired."));
return false;
}
return hash_equals($_SESSION['csrf_token'], $token);
}

4
system/controllers/admin.php
View File

@ -5,6 +5,10 @@
* by https://t.me/ibnux
**/
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Expires: Tue, 01 Jan 2000 00:00:00 GMT");
header("Pragma: no-cache");
if(Admin::getID()){
r2(U.'dashboard', "s", Lang::T("You are already logged in"));
}

4
system/controllers/login.php
View File

@ -5,6 +5,10 @@
* by https://t.me/ibnux
**/
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Expires: Tue, 01 Jan 2000 00:00:00 GMT");
header("Pragma: no-cache");
$maintenance_mode = $config['maintenance_mode'];
if ($maintenance_mode == true) {
displayMaintenanceMessage();

7
system/controllers/logout.php
View File

@ -1,12 +1,17 @@
<?php
/**
* PHP Mikrotik Billing (https://github.com/hotspotbilling/phpnuxbill/)
* by https://t.me/ibnux
**/
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Expires: Tue, 01 Jan 2000 00:00:00 GMT");
header("Pragma: no-cache");
run_hook('customer_logout'); #HOOK
if (session_status() == PHP_SESSION_NONE) session_start();
Admin::removeCookie();
User::removeCookie();
session_destroy();
_alert(Lang::T('Logout Successful'),'warning', "login");
_alert(Lang::T('Logout Successful'), 'warning', "login");