*/ /** CSRF protection * By default, the CSRF protection is active if a SESSION is active too. * It can be disabled if needed. An Exception is raised if the form is send * back without the token */ class csrf { /** Allow to disable the csrf protection */ public $csrf=TRUE; /** This hidden field name in HTML */ public $field = "CSRF_TOKEN"; /** The created token */ private $csrfToken = ""; /** Timeout of the CSRF token : 3600s by default (maximum time allowed to * enter information in form and submit) */ private $csrfTimeout = 3600; /** Manage the singleton */ public function __construct () { if (isset ($GLOBALS["domframework"]["csrf"])) { $this->csrfToken = $GLOBALS["domframework"]["csrf"]->csrfToken; $this->field = $GLOBALS["domframework"]["csrf"]->field; $this->csrfTimeout = $GLOBALS["domframework"]["csrf"]->csrfTimeout; } else { $GLOBALS["domframework"]["csrf"] = $this; } } /** This function return the token */ public function createToken () { $l = 30; // Number of chars in token $c = "abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ"; for ($s = '', $cl = strlen($c)-1, $i = 0; $i < $l; $s .= $c[mt_rand(0, $cl)], ++$i); $this->csrfToken = $s; $_SESSION["domframework"]["csrf"]["csrf"] = $this->csrfToken; $_SESSION["domframework"]["csrf"]["csrfStart"] = microtime (TRUE); return $this->csrfToken; } /** Check if the provided token is the right token, defined last displayed * page * @param string $tokenFromUser The value csrf the user's token */ public function checkToken ($tokenFromUser) { if ($this->csrf === FALSE ) return TRUE; if (! isset ($_SESSION["domframework"]["csrf"]["csrf"])) { throw new \Exception (dgettext("domframework", "No previous CSRF token : abort"), 406); } if ($_SESSION["domframework"]["csrf"]["csrf"] !== $tokenFromUser) { throw new \Exception (dgettext("domframework", "Invalid CSRF token provided"), 406); } if (($_SESSION["domframework"]["csrf"]["csrfStart"] + $this->csrfTimeout) < microtime (TRUE)) { throw new \Exception (dgettext("domframework", "Obsolete CSRF token provided"), 406); } return TRUE; } /** Return the CSRF token in a hidden field */ public function displayFormCSRF () { if ($this->csrfToken == "") $this->createToken (); $res = "csrfToken === "") $this->createToken (); return $this->csrfToken; } }