From 3dd734b2c3ea49c55467cfbfd4b3a5fb38456e87 Mon Sep 17 00:00:00 2001
From: Craig Andrews <candrews@integralblue.com>
Date: Sun, 5 Sep 2010 17:35:43 -0400
Subject: [PATCH] Remove CSRF protection from username/password login and from
 OpenID login.

---
 actions/login.php              | 20 +-------------------
 plugins/OpenID/openidlogin.php |  9 ---------
 2 files changed, 1 insertion(+), 28 deletions(-)

diff --git a/actions/login.php b/actions/login.php
index d3e4312f71..07c601a4db 100644
--- a/actions/login.php
+++ b/actions/login.php
@@ -118,27 +118,10 @@ class LoginAction extends Action
      * @return void
      */
 
-    function checkLogin($user_id=null, $token=null)
+    function checkLogin($user_id=null)
     {
         // XXX: login throttle
 
-        // CSRF protection - token set in NoticeForm
-        $token = $this->trimmed('token');
-        if (!$token || $token != common_session_token()) {
-	    $st = common_session_token();
-	    if (empty($token)) {
-		common_log(LOG_WARNING, 'No token provided by client.');
-	    } else if (empty($st)) {
-		common_log(LOG_WARNING, 'No session token stored.');
-	    } else {
-		common_log(LOG_WARNING, 'Token = ' . $token . ' and session token = ' . $st);
-	    }
-
-            $this->clientError(_('There was a problem with your session token. '.
-                                 'Try again, please.'));
-            return;
-        }
-
         $nickname = $this->trimmed('nickname');
         $password = $this->arg('password');
 
@@ -261,7 +244,6 @@ class LoginAction extends Action
         $this->elementEnd('li');
         $this->elementEnd('ul');
         $this->submit('submit', _('Login'));
-        $this->hidden('token', common_session_token());
         $this->elementEnd('fieldset');
         $this->elementEnd('form');
         $this->elementStart('p');
diff --git a/plugins/OpenID/openidlogin.php b/plugins/OpenID/openidlogin.php
index 20d6e070cd..f3a5c88479 100644
--- a/plugins/OpenID/openidlogin.php
+++ b/plugins/OpenID/openidlogin.php
@@ -42,14 +42,6 @@ class OpenidloginAction extends Action
 
             oid_assert_allowed($openid_url);
 
-            # CSRF protection
-            $token = $this->trimmed('token');
-            if (!$token || $token != common_session_token()) {
-                // TRANS: Message given when there is a problem with the user's session token.
-                $this->showForm(_m('There was a problem with your session token. Try again, please.'), $openid_url);
-                return;
-            }
-
             $rememberme = $this->boolean('rememberme');
 
             common_ensure_session();
@@ -136,7 +128,6 @@ class OpenidloginAction extends Action
         $this->elementStart('fieldset');
         // TRANS: OpenID plugin logon form legend.
         $this->element('legend', null, _m('OpenID login'));
-        $this->hidden('token', common_session_token());
 
         $this->elementStart('ul', 'form_data');
         $this->elementStart('li');
-- 
2.39.5