Implemented dynamic cookie hash generation

Closes #2429

diff --git a/wcfsetup/install/files/lib/system/WCFSetup.class.php b/wcfsetup/install/files/lib/system/WCFSetup.class.php
index 97a5815d4d583c06d85a5ee8933e0898d7e2b736..0405c4edfe5b2aabb27198a5f04592e085bcb046 100644 (file)
--- a/wcfsetup/install/files/lib/system/WCFSetup.class.php
+++ b/wcfsetup/install/files/lib/system/WCFSetup.class.php
@@ -1206,8 +1206,31 @@ class WCFSetup extends WCF {
                        ]);
                }
                
+               // determine randomized cookie prefix
+               $prefix = 'wsc30_';
+               if (!self::$developerMode) {
+                       $cookieNames = array_keys($_COOKIE);
+                       while (true) {
+                               $prefix = 'wsc_' . substr(sha1(mt_rand()), 0, 6) . '_';
+                               $isValid = true;
+                               foreach ($cookieNames as $cookieName) {
+                                       if (strpos($cookieName, $prefix) === 0) {
+                                               $isValid = false;
+                                               break;
+                                       }
+                               }
+                               
+                               if ($isValid) {
+                                       break;
+                               }
+                       }
+                       
+                       // the options have not been imported yet
+                       file_put_contents(WCF_DIR . 'cookiePrefix.txt', $prefix);
+               }
+               
                // login as admin
-               define('COOKIE_PREFIX', 'wsc30_');
+               define('COOKIE_PREFIX', $prefix);
                
                $factory = new ACPSessionFactory();
                $factory->load();

diff --git a/wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php b/wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php
index ace7afc007da7559e2c9ee24a7b9336633adb54a..98afc7b912bbd60e383ff0aa169d1afe5750468e 100644 (file)
--- a/wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php
+++ b/wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php
@@ -196,6 +196,15 @@ class PackageInstallationDispatcher {
                                                'wcf_uuid'
                                        ]);
                                        
+                                       if (file_exists(WCF_DIR . 'cookiePrefix.txt')) {
+                                               $statement->execute([
+                                                       COOKIE_PREFIX,
+                                                       'cookie_prefix'
+                                               ]);
+                                               
+                                               @unlink(WCF_DIR . 'cookiePrefix.txt');
+                                       }
+                                       
                                        $user = new User(1);
                                        $statement->execute([
                                                $user->username,

diff --git a/wcfsetup/install/files/options.inc.php b/wcfsetup/install/files/options.inc.php
index bf82bacb90b8681dcb3b2080e70fee88b066cfff..1c7e18cf6d8fb2e39d053898f36544b3be5ba6ae 100644 (file)
--- a/wcfsetup/install/files/options.inc.php
+++ b/wcfsetup/install/files/options.inc.php
@@ -8,7 +8,12 @@
  */
 define('LAST_UPDATE_TIME', TIME_NOW);
 
-define('COOKIE_PREFIX', 'wsc30_');
+$prefix = 'wsc30_';
+if (file_exists(WCF_DIR . 'cookiePrefix.txt')) {
+       $prefix = file_get_contents(WCF_DIR . 'cookiePrefix.txt');
+}
+define('COOKIE_PREFIX', $prefix);
+
 define('COOKIE_PATH', '');
 define('COOKIE_DOMAIN', '');