Stud.IP  4.0
 All Data Structures Namespaces Files Functions Variables Groups
CSRFProtection Class Reference

Static Public Member Functions

static verifyUnsafeRequest ()
 
static verifySecurityToken ()
 
static verifyRequest ()
 
static token ()
 
static tokenTag (array $attributes=[])
 

Data Fields

const TOKEN = 'security_token'
 
const AJAX_TOKEN = 'HTTP_X_CSRF_TOKEN'
 

Detailed Description

To protect Stud.IP from forged request from other sites a security token is generated and stored in the session and all forms (or rather POST request) have to contain that token which is then compared on the server side to verify the authenticity of the request. GET request are not checked as these are assumed to be idempotent anyway.

If a forgery is detected, an InvalidSecurityTokenException is thrown and a log entry is recorded in the error log.

The (form or request) parameter is named "security token". If you are authoring an HTML form, you have to include this as an input[=hidden] element. This is easily done by calling:

Checking the token is implicitly done when calling page_open in file lib/phplib/page4.inc

Member Function Documentation

static token ( )
static

Returns the token stored in the session generating it first if required.

Returns
string a base64 encoded string of 32 random bytes
Exceptions
SessionRequiredExceptionthere is no session to store the token in
static tokenTag ( array  $attributes = [])
static

Returns a snippet of HTML containing an input[=hidden] element like this:

<input type="hidden" name="security_token" value="012345678901234567890123456789==">
Parameters
array$attributesAdditional attributes to be added to the input
Returns
string the HTML snippet containing the input element
static verifyRequest ( )
static

This checks the request and returns either true or false. It is implicitly called by CSRFProtection::verifySecurityToken() and it should never be needed to call this.

Returns
boolean returns true if the request is valid
static verifySecurityToken ( )
static

This checks the request and throws an InvalidSecurityTokenException if fails to verify its authenticity.

Exceptions
InvalidSecurityTokenExceptionrequest is invalid
static verifyUnsafeRequest ( )
static

This checks the request and throws an InvalidSecurityTokenException if fails to verify its authenticity.

Exceptions
MethodNotAllowedExceptionThe request has to be unsafe in terms of RFC 2616.
InvalidSecurityTokenExceptionThe request is invalid as the security token does not match.

Field Documentation

const AJAX_TOKEN = 'HTTP_X_CSRF_TOKEN'
const TOKEN = 'security_token'

The name of the parameter.


The documentation for this class was generated from the following file: