$file = @fopen( "/dev/urandom", "r" );
if ( $file ) {
- $proxyKey = bin2hex( fread( $file, 32 ) );
+ $secretKey = bin2hex( fread( $file, 32 ) );
fclose( $file );
} else {
- $proxyKey = "";
+ $secretKey = "";
for ( $i=0; $i<8; $i++ ) {
- $proxyKey .= dechex(mt_rand(0, 0x7fffffff));
+ $secretKey .= dechex(mt_rand(0, 0x7fffffff));
}
- print "<li>Warning: \$wgProxyKey is insecure</li>\n";
+ print "<li>Warning: \$wgSecretKey key is insecure, generated with mt_rand(). Consider changing it manually.</li>\n";
}
# Add slashes to strings for double quoting
\$wgLanguageCode = \"{$slconf['LanguageCode']}\";
\$wgUseLatin1 = " . ($conf->Latin1 ? 'true' : 'false') . ";\n
-\$wgProxyKey = \"$proxyKey\";
+\$wgProxyKey = \"$secretKey\";
## Default skin: you can change the default skin. Use the internal symbolic
## names, ie 'standard', 'nostalgia', 'cologneblue', 'monobook':
$wgProxyScriptPath = "$IP/proxy_check.php";
/** */
$wgProxyMemcExpiry = 86400;
-/** */
-$wgProxyKey = 'W1svekXc5u6lZllTZOwnzEk1nbs';
+/** This should always be customised in LocalSettings.php */
+$wgSecretKey = 'W1svekXc5u6lZllTZOwnzEk1nbs';
/** big list of banned IP addresses, in the keys not the values */
$wgProxyList = array();
# Set the random token (used for persistent authentication)
function setToken( $token = false ) {
+ global $wgSecretKey, $wgDBname;
if ( !$token ) {
- $this->mToken = '';
- # Take random data from PRNG
- # This is reasonably secure if the PRNG has been seeded correctly
- for ($i = 0; $i<USER_TOKEN_LENGTH / 4; $i++) {
- $this->mToken .= sprintf( "%04X", mt_rand( 0, 65535 ) );
- }
+ $this->mToken = md5( $wgSecretKey . mt_rand( 0, 0x7fffffff ) . $wgDBname . $this->mId );
} else {
$this->mToken = $token;
}