Commit 1fcfd1b9 authored by David Mudrák's avatar David Mudrák

MDL-63994 login: Improve the logintoken param input

The logintoken is supposed to arrive as a part of the login form ($frm)
together with the username and password. So it should be handled the
same way - including the opportunity for the auth plugins to provide the
form data via the loginpage_hook().

This also implies that only logintoken coming as a part of the POST
request are taken into account, which is a good thing and another thin
layer in this security mechanism.
parent 8324204f
......@@ -38,7 +38,6 @@ redirect_if_major_upgrade_required();
$testsession = optional_param('testsession', 0, PARAM_INT); // test session works properly
$cancel = optional_param('cancel', 0, PARAM_BOOL); // redirect to frontpage, needed for loginhttps
$anchor = optional_param('anchor', '', PARAM_RAW); // Used to restore hash anchor to wantsurl.
$logintoken = optional_param('logintoken', '', PARAM_RAW); // Used to validate the request.
if ($cancel) {
redirect(new moodle_url('/'));
......@@ -152,6 +151,7 @@ if ($frm and isset($frm->username)) { // Login WITH
$frm = false;
} else {
if (empty($errormsg)) {
$logintoken = isset($frm->logintoken) ? $frm->logintoken : '';
$user = authenticate_user_login($frm->username, $frm->password, false, $errorcode, $logintoken);
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment