From 7d834847d15acbb1d4461b55a325bc71c22fd538 Mon Sep 17 00:00:00 2001
From: jakubvrana <jakubvrana@7c3ca157-0c34-0410-bff1-cbf682f78f5c>
Date: Fri, 20 Nov 2009 17:29:35 +0000
Subject: [PATCH] Trust user-supplied token with login

git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1248 7c3ca157-0c34-0410-bff1-cbf682f78f5c
---
 adminer/include/auth.inc.php | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/adminer/include/auth.inc.php b/adminer/include/auth.inc.php
index 678e8b1a..6049ac8c 100644
--- a/adminer/include/auth.inc.php
+++ b/adminer/include/auth.inc.php
@@ -48,13 +48,6 @@ function auth_error($exception = null) {
 	page_footer("auth");
 }
 
-if (!$_SESSION["tokens"][$_GET["server"]]) {
-	$_SESSION["tokens"][$_GET["server"]] = rand(1, 1e6); // defense against cross-site request forgery
-	if ($_POST["token"]) {
-		$_POST["token"] = $_SESSION["tokens"][$_GET["server"]];
-	}
-}
-
 $username = &$_SESSION["usernames"][$_GET["server"]];
 if (!isset($username)) {
 	$username = $_GET["username"]; // default username can be passed in URL
@@ -65,3 +58,7 @@ if (is_string($connection) || !$adminer->login($username, $_SESSION["passwords"]
 	exit;
 }
 unset($username);
+
+if (!$_SESSION["tokens"][$_GET["server"]]) {
+	$_SESSION["tokens"][$_GET["server"]] = (isset($_POST["server"]) && $_POST["token"] ? $_POST["token"] : rand(1, 1e6)); // defense against cross-site request forgery
+}