Created
October 23, 2011 06:25
-
-
Save dhrrgn/1306949 to your computer and use it in GitHub Desktop.
Simple, yet effective CSRF class for FuelPHP.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /** | |
| * Simple, yet effective CSRF class for FuelPHP. | |
| * | |
| * @author Dan Horrigan | |
| * @license MIT License | |
| * @copyright 2011 Dan Horrigan | |
| */ | |
| /** | |
| * CSRF class helps you protect against Csrf attacks. | |
| * | |
| * It employs the "One token per session" technique. This allows | |
| * multiple forms on multiple open pages to work correctly. If a hacker | |
| * somehow got the token, then that means they got into your session. | |
| * If the hacker gets in your session, then you are basically screwed | |
| * anyway, so this is fine. | |
| */ | |
| class CSRF | |
| { | |
| /** | |
| * @var string The key to use for storing the token in the session/input/meta tag | |
| */ | |
| protected static $token_key = 'csrf-token'; | |
| /** | |
| * @var int Length of the CSRF token | |
| */ | |
| protected static $token_length = 42; | |
| /** | |
| * @var string CSRF Token | |
| */ | |
| protected static $token = null; | |
| /** | |
| * Gets the current CSRF token. It will generate a new one if one | |
| * does not already exist for the session, it will then set it in | |
| * the Session. | |
| * | |
| * @return string | |
| */ | |
| public static function token() | |
| { | |
| if (static::$token !== null) | |
| { | |
| return static::$token; | |
| } | |
| if ( ! $token = Session::get(static::$token_key, false)) | |
| { | |
| $token = Str::random('alnum', static::$token_length); | |
| Session::set(static::$token_key, $token); | |
| } | |
| static::$token = $token; | |
| return static::$token; | |
| } | |
| /** | |
| * Validates either the given CSRF token or from the 'csrf-token' POST field. | |
| * | |
| * @param string|null Token to check or null to default to POST | |
| * @return bool | |
| */ | |
| public static function validate($token = null) | |
| { | |
| if ($token === null) | |
| { | |
| $token = Input::post(static::$token_key, null); | |
| } | |
| $token = trim(str_replace("\0", '', $token)); | |
| if ($token !== Session::get(static::$token_key)) | |
| { | |
| return false; | |
| } | |
| return true; | |
| } | |
| /** | |
| * Generates a meta tag with the generated csrf-token. This is useful for | |
| * protecting AJAX calls. | |
| * | |
| * @return string | |
| */ | |
| public static function meta_tag() | |
| { | |
| $token = static::token(); | |
| return html_tag('meta', array('name' => static::$token_key, 'content' => $token)); | |
| } | |
| /** | |
| * Generates a hidden input with the generated csrf-token. | |
| * | |
| * @return string | |
| */ | |
| public static function input() | |
| { | |
| $token = static::token(); | |
| return html_tag('input', array( | |
| 'type' => 'hidden', | |
| 'name' => static::$token_key, | |
| 'id' => static::$token_key, | |
| 'value' => $token | |
| )); | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment