CSRF
  • Namespace
  • Class
  • Tree

Namespaces

  • PHP
  • Riimu
    • Kit
      • CSRF
        • Source
        • Storage

Classes

  • Riimu\Kit\CSRF\CSRFHandler
  • Riimu\Kit\CSRF\NonceValidator
  • Riimu\Kit\CSRF\SingleToken
  • Riimu\Kit\CSRF\Source\HeaderSource
  • Riimu\Kit\CSRF\Source\PostSource
  • Riimu\Kit\CSRF\Storage\CookieStorage
  • Riimu\Kit\CSRF\Storage\SessionStorage

Interfaces

  • Riimu\Kit\CSRF\Source\TokenSource
  • Riimu\Kit\CSRF\Storage\TokenStorage

Exceptions

  • Riimu\Kit\CSRF\InvalidCSRFTokenException
  • Riimu\Kit\CSRF\Storage\TokenStorageException
 1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 
<?php

namespace Riimu\Kit\CSRF\Storage;

/**
 * Token storage that uses browser cookies to store the CSRF token.
 * @author Riikka Kalliomäki <riikka.kalliomaki@gmail.com>
 * @copyright Copyright (c) 2014, Riikka Kalliomäki
 * @license http://opensource.org/licenses/mit-license.php MIT License
 */
class CookieStorage implements TokenStorage
{
    /** @var array List of cookie parameters */
    private $cookieParams;

    /**
     * Creates a new instance of CookieStorage.
     * @param string $name Name of the cookie used to store the token
     * @param int $expire Lifetime of the token cookie in seconds
     * @param string $path Path for the token cookie
     * @param string $domain Domain for the token cookie or empty string for none
     * @param bool $secure Whether to pass cookie only via SSL connection
     * @param bool $httpOnly Whether to make the cookie available only to requests
     */
    public function __construct(
        $name = 'csrf_token',
        $expire = 0,
        $path = '/',
        $domain = '',
        $secure = false,
        $httpOnly = true
    ) {
        $this->cookieParams = [
            'name'      => (string) $name,
            'expire'    => (int) $expire,
            'path'      => (string) $path,
            'domain'    => (string) $domain,
            'secure'    => (bool) $secure,
            'httpOnly'  => (bool) $httpOnly,
        ];
    }

    public function storeToken($token)
    {
        $params = $this->cookieParams;

        if ($params['expire'] !== 0) {
            $params['expire'] = time() + $params['expire'];
        }

        if (!$this->setCookie(base64_encode($token), $params)) {
            throw new TokenStorageException('Error setting CSRF token cookie');
        }
    }

    /**
     * Sets the cookie that stores the secret CSRF token.
     * @param string $value The value for the cookie
     * @param array $params Parameters for the cookie
     * @return bool True if the cookie was set successfully, false if not
     * @throws TokenStorageException If the headers have already been sent
     * @codeCoverageIgnore
     */
    protected function setCookie($value, array $params)
    {
        if (headers_sent()) {
            throw new TokenStorageException('Cannot store CSRF token, headers already sent');
        }

        return setcookie(
            $params['name'],
            $value,
            $params['expire'],
            $params['path'],
            $params['domain'],
            $params['secure'],
            $params['httpOnly']
        );
    }

    public function getStoredToken()
    {
        if (isset($_COOKIE[$this->cookieParams['name']])) {
            return base64_decode($_COOKIE[$this->cookieParams['name']], true);
        }

        return false;
    }
}
CSRF API documentation generated by ApiGen