KD2 Framework  Check-in [2ebe544791]

Overview
Comment:Form: don't use session_id as it can change between calls
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 2ebe5447917d5b915baffa17b38f968dd8ba65a5
User & Date: bohwaz on 2023-05-11 09:12:36
Other Links: manifest | tags
Context
2023-05-11
09:21
Form: add a user-specific cookie for CSRF check-in: 100de0f995 user: bohwaz tags: trunk
09:12
Form: don't use session_id as it can change between calls check-in: 2ebe544791 user: bohwaz tags: trunk
09:03
AbstractEntity: Fix typo check-in: eb5d6ed18f user: bohwaz tags: trunk
Changes

Modified src/lib/KD2/Form.php from [f5d454fc17] to [ccaf0ac9c9].

70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

		$action = self::tokenAction($action);

		$random = random_int(0, PHP_INT_MAX);
		$expire = floor(time() / 3600) + $expire;
		$value = $expire . $random . $action;

		$hash = hash_hmac('sha256', $expire . $random . $action, self::$token_secret . session_id());

		return $hash . '/' . dechex($expire) . '/' . dechex($random);
	}

	/**
	 * Checks a CSRF token
	 * @param  string $action An action description, if NULL then REQUEST_URI will be used







|







70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

		$action = self::tokenAction($action);

		$random = random_int(0, PHP_INT_MAX);
		$expire = floor(time() / 3600) + $expire;
		$value = $expire . $random . $action;

		$hash = hash_hmac('sha256', $expire . $random . $action, self::$token_secret);

		return $hash . '/' . dechex($expire) . '/' . dechex($random);
	}

	/**
	 * Checks a CSRF token
	 * @param  string $action An action description, if NULL then REQUEST_URI will be used
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

		// Expired token
		if ($expire < ceil(time() / 3600))
		{
			return false;
		}

		$hash = hash_hmac('sha256', $expire . $random . $action, self::$token_secret . session_id());

		return hash_equals($hash, $user_hash);
	}

	/**
	 * Generates a random field name for the current token action
	 * @param  string $action An action description, if NULL then REQUEST_URI will be used
	 * @return string
	 */
	static public function tokenFieldName($action = null)
	{
		$action = self::tokenAction($action);
		return 'ct_' . sha1($action . $_SERVER['DOCUMENT_ROOT'] . $_SERVER['SERVER_NAME'] . session_id());
	}

	/**
	 * Returns the supplied action name or if it is NULL, then the REQUEST_URI
	 * @param  string $action
	 * @return string
	 */







|












|







114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

		// Expired token
		if ($expire < ceil(time() / 3600))
		{
			return false;
		}

		$hash = hash_hmac('sha256', $expire . $random . $action, self::$token_secret);

		return hash_equals($hash, $user_hash);
	}

	/**
	 * Generates a random field name for the current token action
	 * @param  string $action An action description, if NULL then REQUEST_URI will be used
	 * @return string
	 */
	static public function tokenFieldName($action = null)
	{
		$action = self::tokenAction($action);
		return 'ct_' . sha1($action . $_SERVER['DOCUMENT_ROOT'] . $_SERVER['SERVER_NAME']);
	}

	/**
	 * Returns the supplied action name or if it is NULL, then the REQUEST_URI
	 * @param  string $action
	 * @return string
	 */