From cec5c60e83675f7631d1114e66a911480abbbcc2 Mon Sep 17 00:00:00 2001
From: Dominique Fournier <dominique@fournier38.fr>
Date: Sun, 1 Jun 2014 09:10:27 +0000
Subject: [PATCH] Add a 3600s timeout on the CSRF token

git-svn-id: https://svn.fournier38.fr/svn/ProgSVN/trunk@1377 bf3deb0d-5f1a-0410-827f-c0cc1f45334c
---
 form.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/form.php b/form.php
index 3e73626..63c957d 100644
--- a/form.php
+++ b/form.php
@@ -546,6 +546,9 @@ class csrf
   public $field = "CSRF_TOKEN";
   /** The created token */
   private $csrfToken = "";
+  /** Timeout of the CSRF token : 3600s by default (maximum time allowed to
+      enter information in form and submit) */
+  private $csrfTimeout = 3600;
 
   /** This function return the token */
   public function createToken ()
@@ -557,6 +560,7 @@ class csrf
          ++$i);
     $this->csrfToken = $s;
     $_SESSION["domframework"]["form"]["csrf"] = $this->csrfToken;
+    $_SESSION["domframework"]["form"]["csrfStart"] = microtime (TRUE);
   }
 
   /** Check if the provided token is the right token, defined last displayed
@@ -569,6 +573,9 @@ class csrf
       throw new Exception (_("No previous CSRF token : abort"));
     if ($_SESSION["domframework"]["form"]["csrf"] !== $tokenFromUser)
       throw new Exception (_("Invalid CSRF token provided"));
+    if (($_SESSION["domframework"]["form"]["csrfStart"] + $this->csrfTimeout) <
+        microtime (TRUE))
+      throw new Exception (_("Obsolete CSRF token provided"));
     return TRUE;
   }