Revert r4609 and use stateless request tokens; no need to save them in session and thus no keep-alive necessary; fixes #1487829

git-svn-id: https://svn.roundcube.net/trunk@4615 208e9e7b-5314-0410-a742-e7e81cd9613c
author: thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> 2011-03-22 07:49:43 +0000
committer: thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> 2011-03-22 07:49:43 +0000
commit: c714ec706f0e4c02344f9d0dd33421093c761464 (patch)
tree: 0a55e8bbb687fe1e53fda7ea4e57141a4dca5623 /roundcubemail/program/include
parent: 4c3144b911456c9dfab765643fbdb11e493e0254 (diff)
1 files changed, 4 insertions, 7 deletions
diff --git a/roundcubemail/program/include/rcmail.php b/roundcubemail/program/include/rcmail.php
index d9bb30bbe..0fc744605 100644
--- a/roundcubemail/program/include/rcmail.php
+++ b/roundcubemail/program/include/rcmail.php
@@ -1106,12 +1106,8 @@ class rcmail
    */
   public function get_request_token()
   {
-    $key = $this->task;
-
-    if (!$_SESSION['request_tokens'][$key])
-      $_SESSION['request_tokens'][$key] = md5(uniqid($key . mt_rand(), true));
-
-    return $_SESSION['request_tokens'][$key];
+    $sess_id = $_COOKIE[ini_get('session.name')];
+    return md5('RT' . $this->task . $this->config->get('des_key') . $sess_id);
   }
 
 
@@ -1124,7 +1120,8 @@ class rcmail
   public function check_request($mode = RCUBE_INPUT_POST)
   {
     $token = get_input_value('_token', $mode);
-    return !empty($token) && $_SESSION['request_tokens'][$this->task] == $token;
+    $sess_id = $_COOKIE[ini_get('session.name')];
+    return !empty($sess_id) && $token == $this->get_request_token();
   }
author	thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c>	2011-03-22 07:49:43 +0000
committer	thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c>	2011-03-22 07:49:43 +0000
commit	c714ec706f0e4c02344f9d0dd33421093c761464 (patch)
tree	0a55e8bbb687fe1e53fda7ea4e57141a4dca5623 /roundcubemail/program/include
parent	4c3144b911456c9dfab765643fbdb11e493e0254 (diff)