Jump to content

CSRF key for logout


JEFF MACK

Recommended Posts

Posted

What components make up the CSRF key for the logout code? In 3.4 it was a combination of a few member items encrypted in md5.  I need to create a logout key for sections of my site out side the forum.

Posted

That what you need?

​Yes that is good, but is this what it basically is.  I am trying to figure out the logic that was there..
md5( email + login key + member_Id + joined + id) ?

Posted

\system\Session\Session.php, init method.

		/* Set ID */
		$this->id = session_id();

		/* Crate csrf key */
		$this->csrfKey = md5( "{$this->member->email}&{$this->member->member_login_key}& " . ( $this->member->member_id ? $this->member->joined->getTimestamp() : 0 ) . '&' . $this->id );

You aren't going to be able to generate it externally(via an api or such) without loading the framework due to the session_id being used therein, it would seem.

Posted

you can query the session id from the ipcore_sessions table.  I am not a php programmer so I am just trying to figure out what the logic means here with these variables.

 

overall to me it looks like:
md5( email + & + login key + & + member_id + & + joined + & + jsession_id) 

 

I am not 100% certain about that member_id / joined date part since it looks like its an if / or

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...