make CSRF tokens much harder to guess

mojolicious · Oct 12, 2015 · 0cc79c4 · 0cc79c4
1 parent b2088ea
commit 0cc79c4
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 5 deletions.
diff --git a/Changes b/Changes
@@ -1,7 +1,7 @@
 
-6.24  2015-10-10
-  - Improved session security by not storing secrets in the stash and not using
-    secrets to generate the CSRF token.
+6.24  2015-10-12
+  - Improved session security by not storing secrets in the stash and making
+    CSRF tokens much harder to guess.
   - Improved commands to show all options that can affect their behavior.
 
 6.23  2015-10-06

diff --git a/lib/Mojolicious/Plugin/DefaultHelpers.pm b/lib/Mojolicious/Plugin/DefaultHelpers.pm
@@ -5,7 +5,7 @@ use Mojo::ByteStream;
 use Mojo::Collection;
 use Mojo::Exception;
 use Mojo::IOLoop;
-use Mojo::Util qw(dumper sha1_sum steady_time);
+use Mojo::Util qw(dumper hmac_sha1_sum steady_time);
 
 sub register {
   my ($self, $app) = @_;
@@ -66,7 +66,9 @@ sub _content {
 }
 
 sub _csrf_token {
-  shift->session->{csrf_token} ||= sha1_sum $$ . steady_time . rand 999;
+  my $c = shift;
+  return $c->session->{csrf_token}
+    ||= hmac_sha1_sum $$ . steady_time . rand 999, $c->app->secrets->[0];
 }
 
 sub _current_route {