This repository has been archived on 2024-06-26. You can view files and clone it, but cannot push or open issues or pull requests.
sakura/libraries/CSRF.php

84 lines
1.7 KiB
PHP
Raw Normal View History

<?php
2016-02-03 22:22:56 +00:00
/**
* Holds the CSRF token handler.
2016-03-08 23:07:58 +00:00
*
2016-02-03 22:22:56 +00:00
* @package Sakura
*/
namespace Sakura;
use Sakura\Hashing;
/**
2016-02-02 21:04:15 +00:00
* Used to generate and validate CSRF tokens.
2016-03-08 23:07:58 +00:00
*
* @package Sakura
2016-02-02 21:04:15 +00:00
* @author Julian van de Groep <me@flash.moe>
*/
class CSRF
{
2016-02-02 21:04:15 +00:00
/**
* The prefix to prevent collisions in the $_SESSION variable.
*/
const ID_PREFIX = '_sakura_csrf_';
2016-02-02 21:04:15 +00:00
/**
* The size of the randomly generated string.
*/
const RANDOM_SIZE = 16;
2016-02-02 21:04:15 +00:00
/**
* Create a new CSRF token.
2016-03-08 23:07:58 +00:00
*
2016-02-02 21:04:15 +00:00
* @param mixed $id The ID for this token.
2016-03-08 23:07:58 +00:00
*
2016-02-02 21:04:15 +00:00
* @return string The token.
*/
public static function create($id)
{
// Generate a token
$token = self::generate();
// Make identifier
$id = strtoupper(self::ID_PREFIX . $id);
// Assign to session
$_SESSION[$id] = $token;
// Return the token
return $token;
}
2016-02-02 21:04:15 +00:00
/**
* Generate a CSRF token.
2016-03-08 23:07:58 +00:00
*
2016-02-02 21:04:15 +00:00
* @return string Cryptographically secure random string.
*/
public static function generate()
{
return bin2hex(\mcrypt_create_iv(self::RANDOM_SIZE, MCRYPT_DEV_URANDOM));
}
2016-02-02 21:04:15 +00:00
/**
* Validate a CSRF token.
2016-03-08 23:07:58 +00:00
*
2016-02-02 21:04:15 +00:00
* @param mixed $token The token.
* @param mixed $id The ID.
2016-03-08 23:07:58 +00:00
*
2016-02-02 21:04:15 +00:00
* @return bool Indicator if it was right or not.
*/
public static function validate($token, $id)
{
// Set id
$id = strtoupper(self::ID_PREFIX . $id);
// Check if the token exists
if (!array_key_exists($id, $_SESSION)) {
return false;
}
// Use the slowEquals function from the hashing lib to validate
return Hashing::slowEquals($token, $_SESSION[$id]);
}
}