CSRF
  • Namespace
  • Class
  • Tree

Namespaces

  • PHP
  • Riimu
    • Kit
      • CSRF
        • Source
        • Storage

Classes

  • Riimu\Kit\CSRF\CSRFHandler
  • Riimu\Kit\CSRF\NonceValidator
  • Riimu\Kit\CSRF\SingleToken
  • Riimu\Kit\CSRF\Source\HeaderSource
  • Riimu\Kit\CSRF\Source\PostSource
  • Riimu\Kit\CSRF\Storage\CookieStorage
  • Riimu\Kit\CSRF\Storage\SessionStorage

Interfaces

  • Riimu\Kit\CSRF\Source\TokenSource
  • Riimu\Kit\CSRF\Storage\TokenStorage

Exceptions

  • Riimu\Kit\CSRF\InvalidCSRFTokenException
  • Riimu\Kit\CSRF\Storage\TokenStorageException
 1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 
<?php

namespace Riimu\Kit\CSRF;

/**
 * CSRF Handler that accepts each CSRF token only once.
 * @author Riikka Kalliomäki <riikka.kalliomaki@gmail.com>
 * @copyright Copyright (c) 2015, Riikka Kalliomäki
 * @license http://opensource.org/licenses/mit-license.php MIT License
 */
class NonceValidator extends CSRFHandler
{
    /** @var string Name of the session variable that stores the used nonces */
    private $name;

    /**
     * Creates a new instance of NonceValidator.
     * @param string $sessionVariable Name of the session variable used for storing nonces
     */
    public function __construct($sessionVariable = 'csrf_nonces')
    {
        parent::__construct(false);
        $this->name = $sessionVariable;
    }

    public function validateToken($token)
    {
        $key = $this->extractKey($token);

        if (isset($_SESSION[$this->name][$key])) {
            return false;
        }

        $_SESSION[$this->name][$key] = true;

        return parent::validateToken($token);
    }

    public function getToken()
    {
        $token = parent::getToken();

        // For the sake of usability, allow the same token in the unlikely event that it gets recreated
        if (isset($_SESSION[$this->name][$this->extractKey($token)])) {
            unset($_SESSION[$this->name][$this->extractKey($token)]);
        }

        return $token;
    }

    public function regenerateToken()
    {
        $_SESSION[$this->name] = [];

        return parent::regenerateToken();
    }

    /**
     * Returns the number of stored used nonces.
     * @return int Number of invalidated nonces.
     */
    public function getNonceCount()
    {
        return isset($_SESSION[$this->name]) ? count($_SESSION[$this->name]) : 0;
    }

    /**
     * Extracts the key from the combined token string.
     * @param string $token The combined token string
     * @return string The key extracted from the combined token string
     */
    private function extractKey($token)
    {
        return substr(base64_decode($token, true), 0, CSRFHandler::TOKEN_LENGTH);
    }
}
CSRF API documentation generated by ApiGen