Changeset 3979

Timestamp:

05/26/09 14:20:42 (3 years ago)

Author:

CrawfordCurrie

Message:

Item1586: limit the session to a limited number of keys; remove validation_key from the parameters passed through template login, or it confuses the JS because validation_key ends up as multi-valued; check the nonce during login; reduce to one unique key per page rendering, instead of one key per form per unique rendering

File:

• branches/Release01x00/core/pub/System/JavascriptFiles/strikeone.js (modified) (1 diff)

branches/Release01x00/core/pub/System/JavascriptFiles/strikeone.js

@@ -1 @@
-function foswikiStrikeOne() {
+function foswikiStrikeOne(form) {
     // Read the cookie to get the secret
     var secret = readCookie('FOSWIKISTRIKEONE');
-    // Find all validation_key inputs
-    var inputs = document.getElementsByTagName('input');
-    for (var i in inputs) {
-        if (inputs[i].name == 'validation_key') {
-            // combine the validation key with the secret in a way that
-            // can't easily be reverse-engineered, but can be duplicated
-            // on the server (which also knows the secret)
-            var key = inputs[i].value;
-            var newkey = b64_md5(key + secret);
-            inputs[i].value = newkey;
-        }
+    //console.debug("Submit "+form.name);
+    var input = form.validation_key;
+    if (input && input.value) {
+        // combine the validation key with the secret in a way
+        // that can't easily be reverse-engineered, but can be
+        // duplicated on the server (which also knows the secret)
+        var key = input.value.substring(1);
+        var newkey = hex_md5(key + secret);
+        input.value = newkey;
+        //console.debug("Revise "+key+" + "+secret+" -> "+newkey);
     }
 }