Valhalla Codes - CSRF Protection

Home

Codes

PHP

(4)

Created by ynori7 on 15.04.12 00:47

The cross-site request forgery (CSRF) prevention framework used by Valhalla. Automatically generates CSRF tokens and validates them. Part of the valhalla-core-utils-lib (see demo link).

Check it out here: Demo Link

<?php
/* 
 * Cross-site Request Forgery Synchronizer Tokens
 * A simple class for generating CSRF tokens in the Synchronizer Token Pattern.
 * For more information, @see http://halls-of-valhalla.org/beta/articles/cross-site-request-forgery-demystified,47/
 * 
 * @author ynori7
 * @copyright Copyright (c) 2014, halls-of-valhalla.org
 * @license http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 International License. 
 * 
 * Example Usage:
 * $csrfToken = new CsrfToken();
 * if($csrfToken->isValidToken($_POST)){
 *   //CSRF token is valid, so perform action
 * }
 * 
 * To display in forms, just use:
 * $token = $csrfToken->getToken();
 */

namespace Valhalla\CoreUtilities\Security;

use Valhalla\CoreUtilities\Http\HttpSession;

class CsrfToken {
    const TOKEN_NAME = 'CSRFToken';
    
    /**
     * @var Valhalla\CoreUtilities\Http\SessionInterface
     */
    protected $_session;
    
    /**
     * Gets a token from the session. If there isn't one, puts one there.
     * 
     * @return string
     */
    public function getToken() {
        $session = $this->getSession();
        if ($session->get(self::TOKEN_NAME) === false){
            $session->set(self::TOKEN_NAME, self::generateToken());
        }
        return $session->get(self::TOKEN_NAME);
    }
    
    /**
     * Checks if the CSRF token is set in the request.
     * 
     * @param array $requestParams
     * @return boolean
     */
    public function isTokenSet($requestParams){
        return ( !empty($requestParams[self::TOKEN_NAME]) );
    }

    /**
     * Checks if there exists a token and if it's valid.
     * 
     * @param array $requestParams
     * @return boolean
     */
    public function isValidToken($requestParams) {
        return ($this->isTokenSet($requestParams) and
                self::getToken() === $requestParams[self::TOKEN_NAME]);
    }

    /**
     * Generates a unique token.
     * 
     * @return string
     */
    protected function generateToken() {
        return sprintf('%04x%04x-%04x-%04x-%04x-%04x%04x%04x',
                mt_rand(0, 0xffff), 
                mt_rand(0, 0xffff), 
                mt_rand(0, 0xffff), 
                mt_rand(0, 0x0fff) | 0x4000, 
                mt_rand(0, 0x3fff) | 0x8000, 
                mt_rand(0, 0xffff), 
                mt_rand(0, 0xffff), 
                mt_rand(0, 0xffff)
        );
    }
    
    /**
     * Sets the session variable to be used. 
     * 
     * @param Valhalla\CoreUtilities\Http\SessionInterface $session
     */
    public function setSession($session){
        $this->_session = $session;
    }
    
    /**
     * Gets the session object if set, otherwise uses HttpSession by default.
     * 
     * @return Valhalla\CoreUtilities\Http\SessionInterface
     */
    public function getSession(){
        if(is_null($this->_session)){
            $this->setSession(new HttpSession());
        }
        return $this->_session;
    }

}

Last updated by ynori7 on 13.08.14 11:41

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Download this code in plain text format here

Comments:

ynori7

Created on 04.12.12 14:23

It could lead to issues though since $_REQUEST also contains $_COOKIE.

COM

Created on 19.04.12 18:06

Lines 37-39, aka the content of the isValidToken function, could be replaced with: return isset($_REQUEST['token'])?getCSRFToken()===$_REQUEST['token']:false;