-
Notifications
You must be signed in to change notification settings - Fork 44
Commit
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -41,7 +41,7 @@ function checksession($link) | |
global $SERVER_TIMEOUT, $HOSTDOMAIN; | ||
session_start(); | ||
if(!isset($_SESSION['loginok'])||$_SESSION['loginok']!=1) {session_destroy();return FALSE;} | ||
if(isset($_SERVER['HTTP_REFERER'])&&($_SERVER['HTTP_REFERER']!='')&&(strpos($_SERVER['HTTP_REFERER'], $HOSTDOMAIN)!==0)) | ||
if(isset($_SERVER['HTTP_REFERER'])&&($_SERVER['HTTP_REFERER']!='')&&(strpos(strtolower($_SERVER['HTTP_REFERER']), strtolower($HOSTDOMAIN))!==0)) | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
zeruniverse
Author
Owner
|
||
{ | ||
//Users from other sites are banned | ||
session_destroy(); | ||
|
For example, if your site is "site.com" make sure "site.com.attacker.com" doesn't pass your origin check.(https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Checking_The_Referer_Header)