private function _csrf_generate_token($force = false)
{
// if CSRF protection is enabled (is not boolean FALSE) and CSRF token was not already generated
if ($this->form_properties['csrf_storage_method'] !== false) {
// reference to the form submission method
global ${'_' . $this->form_properties['method']};
$method =& ${'_' . $this->form_properties['method']};
// if
if (isset($method[$this->form_properties['identifier']]) && $force === false && $this->form_properties['csrf_storage_method'] == 'session' && isset($_SESSION[$this->form_properties['csrf_cookie_name']]) && is_array($_SESSION[$this->form_properties['csrf_cookie_name']]) && count($_SESSION[$this->form_properties['csrf_cookie_name']]) == 2) {
$this->form_properties['csrf_token'] = $_SESSION[$this->form_properties['csrf_cookie_name']][0];
} elseif (isset($method[$this->form_properties['identifier']]) && $force === false && $this->form_properties['csrf_storage_method'] == 'cookie' && isset($_COOKIE[$this->form_properties['csrf_cookie_name']])) {
$this->form_properties['csrf_token'] = $_COOKIE[$this->form_properties['csrf_cookie_name']];
} elseif (!isset($method[$this->form_properties['identifier']]) || $force === true) {
// generate a random token
$this->form_properties['csrf_token'] = md5(uniqid(rand(), true));
// compute token expiry timestamp
$csrf_token_expiry = $this->form_properties['csrf_token_lifetime'] == 0 ? 0 : time() + $this->form_properties['csrf_token_lifetime'];
// if storage method is "session"
if ($this->form_properties['csrf_storage_method'] == 'session') {
// if no session is started, trigger an error message
if (!isset($_SESSION)) {
_zebra_form_show_error('You have chosen to enable protection against cross-site request forgery (CSRF) attacks and to use sessions for storing the CSRF token, but a session is not started! Start a session prior to calling the "csrf()" method', E_USER_ERROR);
}
// if sessions are on, store the CSRF token and the expiration data in session
$_SESSION[$this->form_properties['csrf_cookie_name']] = array($this->form_properties['csrf_token'], $csrf_token_expiry);
// if storage method is "cookie"
} else {
// if PHP version is 5.2.0+
if (version_compare(PHP_VERSION, '5.2.0', '>=')) {
// store the CSRF token in a cookie and use also the httponly argument
if (!setcookie($this->form_properties['csrf_cookie_name'], $this->form_properties['csrf_token'], $csrf_token_expiry, $this->form_properties['csrf_cookie_config']['path'], $this->form_properties['csrf_cookie_config']['domain'], $this->form_properties['csrf_cookie_config']['secure'], $this->form_properties['csrf_cookie_config']['httponly'])) {
trigger_error('The library tried to store the CSRF token in a cookie but was unable to do so because there was output already sent to the browser. You should either start a session prior to instantiating the library (recommended), have no output (including <html> and <head> tags, as well as any whitespace) sent to the browser prior to instantiating the library, or turn output buffering on in php.ini.', E_USER_ERROR);
} else {
// store the CSRF token in a cookie without also using the httponly argument
if (!setcookie($this->form_properties['csrf_cookie_name'], $this->form_properties['csrf_token'], $csrf_token_expiry, $this->form_properties['csrf_cookie_config']['path'], $this->form_properties['csrf_cookie_config']['domain'], $this->form_properties['csrf_cookie_config']['secure'])) {
trigger_error('The library tried to store the CSRF token in a cookie but was unable to do so because there was output already sent to the browser. You should either start a session prior to instantiating the library (recommended), have no output (including <html> and <head> tags, as well as any whitespace) sent to the browser prior to instantiating the library, or turn output buffering on in php.ini.', E_USER_ERROR);
}
}
}
}
}
}
}