Skip to content

Instantly share code, notes, and snippets.

@kemo
Created May 6, 2012 20:57
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save kemo/2624359 to your computer and use it in GitHub Desktop.
My Kohana 3.3 Security class with CSRF Validation helper method
<?php defined('SYSPATH') or die('No direct script access.');
class Security extends Kohana_Security {
protected static $_logout_token_name = 'logout_token_key';
public static $csrf_field = 'token';
/**
* Creates a validation object to check if the field specified
* is a valid CSRF token inside of Requests POST / GET
*
* If no field is passed, Security::$csrf_field will be used as the name
*
* @param Request $request
* @param string $field (optional)
* @return Validation
*/
public static function csrf_validation(Request $request, $field = NULL)
{
if ($field === NULL)
{
$field = Security::$csrf_field;
}
// Decide if POST or GET should be checked...
$data = ($request->method() === Request::POST) ? $request->post() : $request->query();
// Return the newly created Validation object
return Validation::factory($data)
->rule($field, 'not_empty')
->rule($field, 'Security::check');
}
/**
* Returns the token required for logout (for GET-based CSRF prevention)
*
* @return string token
*/
public static function logout_token()
{
$session = Session::instance();
$token = $session->get(Security::$_logout_token_name);
if ( ! $token)
{
$token = sha1(uniqid(NULL, TRUE));
$session->set(Security::$_logout_token_name, $token);
}
return $token;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment