Csrf
in package
This class provides protection against Csrf attacks.
call Csrf::add_code() if the page contains vulnerable links and forms, and use Csrf::check_code() to kill the request if there's an invalid code.
This class expects that the session has been set up correctly and can be used through $_SESSION.
Tags
Table of Contents
Properties
- $active_decrease : mixed
- This number defines how much to decrease a code's validity each time it's checked. Example: if validity_count is 5 and active_decrease is 1, a code is valid four times, meaning a user can open four tabs from the same page before the request is denied.
- $unused_decrease : mixed
- This number defines how much any known code's validity count is reduced at every check, even if another code was given by the form/link. This way, we can expire codes that are not in use anymore, and so keep the session smaller. With a value of 0.5 and a validity_count of 5, this means that after 10 requests, an unused key will be invalid.
- $validity_count : mixed
- This variable defines how many times a given code is accepted as valid. We need this in case the user opens a new tab in the admin panel.
- $already_added_code : mixed
- $already_checked : mixed
- $current_code : mixed
- $formkey : mixed
- $frontend_mode : mixed
- $sesskey : mixed
Methods
- add_code() : mixed
- Call this to add a CSRF protection code to all the forms and links on the generated page. Note that you don't need to pass any content, and nothing is returned - this function uses PHP to change it's output so as to insert the data.
- add_placeholder() : mixed
- Adds a placeholder for the CSRF code to the given template.
- check_code() : mixed
- Call this if you need to protect critical work.
- cleanRequestURI() : mixed
- Remove the CSRF protection parameter from the query string and referrer
- code() : mixed
- Returns the anti-CSRF code for the current request. You can build your own URLs together with \Cx\Core\Csrf\Controller\Csrf::key()
- enhanceURI() : mixed
- Adds the CSRF protection code to the URI specified by $uri.
- header() : mixed
- Acts as a replacement for header() calls that handle URLs.
- key() : mixed
- Returns the anti-CSRF code's form key.
- param() : mixed
- Returns a key/value pair ready to use in an URL.
- redirect() : mixed
- Redirect
- setFrontendMode() : mixed
- __cleanup() : mixed
- __enhance_header() : mixed
- An utility function to patch URLs specifically in redirect (and possibly other) headers. Expects a string in the form "header-name: ...." and returns it, modified to contain the CSRF protection parameter.
- __formval() : mixed
- __get_code() : mixed
- __getkey() : mixed
- __is_ajax() : mixed
- __is_logged_in() : mixed
- __kill() : mixed
- __reduce() : mixed
- Decrease the validity of the CSRF tokens
- __setkey() : mixed
- parseRequestParametersForForm() : mixed
Properties
$active_decrease
This number defines how much to decrease a code's validity each time it's checked. Example: if validity_count is 5 and active_decrease is 1, a code is valid four times, meaning a user can open four tabs from the same page before the request is denied.
public
static mixed
$active_decrease
= 1
$unused_decrease
This number defines how much any known code's validity count is reduced at every check, even if another code was given by the form/link. This way, we can expire codes that are not in use anymore, and so keep the session smaller. With a value of 0.5 and a validity_count of 5, this means that after 10 requests, an unused key will be invalid.
public
static mixed
$unused_decrease
= 0.5
$validity_count
This variable defines how many times a given code is accepted as valid. We need this in case the user opens a new tab in the admin panel.
public
static mixed
$validity_count
= 15
A high value increases usability, a low value increases security. Tough call!
$already_added_code
private
static mixed
$already_added_code
= false
$already_checked
private
static mixed
$already_checked
= false
$current_code
private
static mixed
$current_code
= NULL
$formkey
private
static mixed
$formkey
= 'csrf'
$frontend_mode
private
static mixed
$frontend_mode
= false
$sesskey
private
static mixed
$sesskey
= '__csrf_data__'
Methods
add_code()
Call this to add a CSRF protection code to all the forms and links on the generated page. Note that you don't need to pass any content, and nothing is returned - this function uses PHP to change it's output so as to insert the data.
public
static add_code() : mixed
Note: output_add_rewrite_var() used in here does a really bad job on your URIs within the HTML. It adds parameters without considering whether it should use '&' or '&'. This results in invalid HTML!
add_placeholder()
Adds a placeholder for the CSRF code to the given template.
public
static add_placeholder(Sigma $tpl) : mixed
This is so you can easily patch javascript code that handles URLs, as this cannot be done by add_code().
Parameters
- $tpl : Sigma
-
Template object
check_code()
Call this if you need to protect critical work.
public
static check_code() : mixed
This function will stop the request if it cannot find a valid anti-CSRF code in the request.
cleanRequestURI()
Remove the CSRF protection parameter from the query string and referrer
public
static cleanRequestURI() : mixed
code()
Returns the anti-CSRF code for the current request. You can build your own URLs together with \Cx\Core\Csrf\Controller\Csrf::key()
public
static code() : mixed
enhanceURI()
Adds the CSRF protection code to the URI specified by $uri.
public
static enhanceURI(mixed $uri) : mixed
Note: This adds a simple ampersand (&), not the HTML entity &. Thus, it is only suitable for modifying header() parameters and URIs within javascript. For URIs to be embedded into HTML, you SHOULD htmlentities() it first!
Parameters
- $uri : mixed
header()
Acts as a replacement for header() calls that handle URLs.
public
static header(mixed $header[, mixed $replace = true ][, mixed $httpResponseCode = null ]) : mixed
Only use it for headers in the form "Foo: an_url", for instance "Location: index.php?foo=bar".
Parameters
- $header : mixed
- $replace : mixed = true
- $httpResponseCode : mixed = null
key()
Returns the anti-CSRF code's form key.
public
static key() : mixed
You can build your own URLs together with \Cx\Core\Csrf\Controller\Csrf::code()
param()
Returns a key/value pair ready to use in an URL.
public
static param() : mixed
redirect()
Redirect
public
static redirect(string $url[, bool $exit = true ][, bool $rfc2616 = false ]) : mixed
This function redirects the client. This is done by issuing a "Location" header and exiting if wanted. If you set $rfc2616 to true HTTP will output a hypertext note with the location of the redirect.
Parameters
- $url : string
-
URL where the redirect should go to.
- $exit : bool = true
-
Whether to exit immediately after redirection.
- $rfc2616 : bool = false
-
Wheter to output a hypertext note where we're redirecting to (Redirecting to ....)
Tags
Return values
mixed —Returns true on succes (or exits) or false if headers have already been sent.
setFrontendMode()
public
static setFrontendMode() : mixed
__cleanup()
private
static __cleanup() : mixed
__enhance_header()
An utility function to patch URLs specifically in redirect (and possibly other) headers. Expects a string in the form "header-name: ...." and returns it, modified to contain the CSRF protection parameter.
private
static __enhance_header(mixed $header) : mixed
Example: __enhance_header('Location: index.php') --> "Location: index.php?csrf=xxxxx"
Parameters
- $header : mixed
__formval()
private
static __formval(mixed $str) : mixed
Parameters
- $str : mixed
__get_code()
private
static __get_code() : mixed
__getkey()
private
static __getkey(mixed $key) : mixed
Parameters
- $key : mixed
__is_ajax()
private
static __is_ajax() : mixed
__is_logged_in()
private
static __is_logged_in() : mixed
__kill()
private
static __kill() : mixed
__reduce()
Decrease the validity of the CSRF tokens
private
static __reduce(string $code, string $method) : mixed
Parameters
- $code : string
-
The CSRF token used for this request
- $method : string
-
The HTTP request method
__setkey()
private
static __setkey(mixed $key, mixed $value) : mixed
Parameters
- $key : mixed
- $value : mixed
parseRequestParametersForForm()
private
static parseRequestParametersForForm(mixed $key, mixed $value[, mixed $arrSubKeys = array() ]) : mixed
Parameters
- $key : mixed
- $value : mixed
- $arrSubKeys : mixed = array()