Last active
October 23, 2017 22:03
-
-
Save henrystivens/30f09e011d3b7c9d98082cbe8c30fb96 to your computer and use it in GitHub Desktop.
Lib para evitar ataques CSRF en KumbiaPHP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
. | |
. | |
. | |
if (Input::hasPost('login', 'password') && HsCsrf::validate()) { | |
//Intenta la autenticación | |
return self::doAuthenticate(); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/** | |
* | |
* Clase que se utiliza para crear un campo oculto con un token que | |
* es almacenado en sesión para luego ser validado para evitar los | |
* ataques CSRF (Cross-Site Request Forgery) | |
* | |
* @author Henry Stivens Adarme Muñoz <henry.stivens@gmail.com> | |
* @category Sistema | |
* @package Libs | |
* @version 1.0 | |
*/ | |
class HsCsrf | |
{ | |
/** | |
* Nombre del token por defecto | |
*/ | |
const TOKEN_NAME = '_csrf_token_09sdsdfjks0d9fdoas80a9sduojkas';//Cambiar por uno propio | |
/** | |
* Tamaño del token | |
*/ | |
const TOKEN_LENGHT = 32; | |
/** | |
* Almacena en sesión el token y le pasa este valor al campo oculto | |
* para que luego sea impreso en una vista | |
* | |
* @param string $field Nombre del input | |
* @return string Cadena de texto con el html para campo oculto | |
*/ | |
public static function input($field = '_token') | |
{ | |
$token = bin2hex(random_bytes(self::TOKEN_LENGHT)); | |
Session::set(self::TOKEN_NAME, $token); | |
return Form::hidden($field, '', $token); | |
} | |
/** | |
* Valida que el token corresponda con el enviado en el POST | |
* | |
* @param string $field Nombre del input | |
* @return boolean | |
*/ | |
public static function validate($field = '_token') | |
{ | |
if (Input::hasPost($field) && Session::has(self::TOKEN_NAME)) { | |
if (Input::post($field) == Session::get(self::TOKEN_NAME)) { | |
return true; | |
} | |
} | |
return false; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<form method="post"> | |
<?= HsCsrf::input(); ?> | |
<div class="col-6 offset-3 text-center"> | |
<div class="row form-group"> | |
<div class="col-5 text-right"> | |
<label for="login">Usuario:</label> | |
</div> | |
<div class="col-7 text-left"> | |
<input type="text" id="login" name="login" class="control" /> | |
</div> | |
</div> | |
<div class="row form-group"> | |
<div class="col-5 text-right"> | |
<label for="password">Contraseña:</label> | |
</div> | |
<div class="col-7 text-left"> | |
<input type="password" id="password" name="password" class="control" /> | |
</div> | |
</div> | |
<div class="row"> | |
<div class="col-12"> | |
<button type="submit" class="btn btn-primary">Ingresar</button> | |
</div> | |
</div> | |
</div> | |
</form> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment