Merge pull request MPOS#1754 from MPOS/csrf-validation

[FIX] Use session ID for user uniqueness
omagian · Feb 15, 2014 · 7c4ec2f · 7c4ec2f
2 parents 587b579 + cb85e26
commit 7c4ec2f
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/public/index.php b/public/index.php
@@ -148,11 +148,11 @@ function cfip() { return (@defined('SECURITY')) ? 1 : 0; }
 
 // Check csrf token validity if necessary
 if ($config['csrf']['enabled'] && isset($_REQUEST['ctoken']) && !empty($_REQUEST['ctoken']) && !is_array($_REQUEST['ctoken'])) {
-  $csrftoken->valid = ($csrftoken->checkBasic($user->getCurrentIP(), $arrPages[$page], $_REQUEST['ctoken'])) ? 1 : 0;
+  $csrftoken->valid = ($csrftoken->checkBasic(session_id(), $arrPages[$page], $_REQUEST['ctoken'])) ? 1 : 0;
 } else if ($config['csrf']['enabled'] && (!@$_REQUEST['ctoken'] || empty($_REQUEST['ctoken']))) {
   $csrftoken->valid = 0;
 }
-if ($config['csrf']['enabled']) $smarty->assign('CTOKEN', $csrftoken->getBasic($user->getCurrentIP(), $arrPages[$page]));
+if ($config['csrf']['enabled']) $smarty->assign('CTOKEN', $csrftoken->getBasic(session_id(), $arrPages[$page]));
 
 // Load the page code setting the content for the page OR the page action instead if set
 if (!empty($action)) {