Dominique.Fournier/DomFramework
1
0
Fork 0
Code Issues Pull Requests Projects Releases Activity

Add a 3600s timeout on the CSRF token

Browse Source 
git-svn-id: https://svn.fournier38.fr/svn/ProgSVN/trunk@1377 bf3deb0d-5f1a-0410-827f-c0cc1f45334c
This commit is contained in:
Dominique Fournier
2014-06-01 09:10:27 +00:00
parent 5deed571ec
commit cec5c60e83
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
form.php
View File

@@ -546,6 +546,9 @@ class csrf
public $field = "CSRF_TOKEN"; public $field = "CSRF_TOKEN";
/** The created token */ /** The created token */
private $csrfToken = ""; private $csrfToken = "";
/** Timeout of the CSRF token : 3600s by default (maximum time allowed to
enter information in form and submit) */
private $csrfTimeout = 3600;
/** This function return the token */ /** This function return the token */
public function createToken () public function createToken ()
@@ -557,6 +560,7 @@ class csrf
++$i); ++$i);
$this->csrfToken = $s; $this->csrfToken = $s;
$_SESSION["domframework"]["form"]["csrf"] = $this->csrfToken; $_SESSION["domframework"]["form"]["csrf"] = $this->csrfToken;
$_SESSION["domframework"]["form"]["csrfStart"] = microtime (TRUE);
} }
/** Check if the provided token is the right token, defined last displayed /** Check if the provided token is the right token, defined last displayed
@@ -569,6 +573,9 @@ class csrf
throw new Exception (_("No previous CSRF token : abort")); throw new Exception (_("No previous CSRF token : abort"));
if ($_SESSION["domframework"]["form"]["csrf"] !== $tokenFromUser) if ($_SESSION["domframework"]["form"]["csrf"] !== $tokenFromUser)
throw new Exception (_("Invalid CSRF token provided")); throw new Exception (_("Invalid CSRF token provided"));
if (($_SESSION["domframework"]["form"]["csrfStart"] + $this->csrfTimeout) <
microtime (TRUE))
throw new Exception (_("Obsolete CSRF token provided"));
return TRUE; return TRUE;
} }