From 8071beaa75257a6e763bf8b2d6dd586fe0935d6b Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sat, 15 Oct 2011 20:53:56 +0200
Subject: [PATCH] bind security token to username

This makes the security token more robust agains session fixation
attacks. A CSRF warning will no longer abort a page save but lead to the
preview mode to avoid information loss when a user logs in during
editing (eg in another tab).
---
 inc/actions.php | 2 +-
 inc/common.php  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/inc/actions.php b/inc/actions.php
index 1a0ae4028..ddfafc554 100644
--- a/inc/actions.php
+++ b/inc/actions.php
@@ -101,7 +101,7 @@ function act_dispatch(){
             if(checkSecurityToken()){
                 $ACT = act_save($ACT);
             }else{
-                $ACT = 'show';
+                $ACT = 'preview';
             }
         }
 
diff --git a/inc/common.php b/inc/common.php
index 39af439f8..0c769c50d 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -56,7 +56,7 @@ function stripctl($string){
  * @return  string
  */
 function getSecurityToken(){
-    return md5(auth_cookiesalt().session_id());
+    return md5(auth_cookiesalt().session_id().$_SERVER['REMOTE_USER']);
 }
 
 /**
-- 
GitLab