Airship\Engine\Security\CSRF::check PHP Method

CSRF Class Documentation Usage Examples Of Airship\Engine\Security\CSRF::check Show file Open project: paragonie/airship

check() public method

Validate a request based on $_SESSION and $_POST data

public check ( ) : boolean
return	boolean

    public function check() : bool
    {
        if (!isset($_SESSION[$this->sessionIndex])) {
            // We don't even have a session array initialized
            $_SESSION[$this->sessionIndex] = [];
            return false;
        }
        if (!isset($_POST[self::FORM_TOKEN]) || !\is_string($_POST[self::FORM_TOKEN])) {
            return false;
        }
        if (\strpos($_POST[self::FORM_TOKEN], ':') === false) {
            return false;
        }
        // Let's pull the POST data
        list($index, $token) = \explode(':', $_POST[self::FORM_TOKEN]);
        if (empty($index) || empty($token)) {
            return false;
        }
        if (!isset($_SESSION[$this->sessionIndex][$index])) {
            // CSRF Token not found
            return false;
        }
        // Grab the value stored at $index
        $stored = $_SESSION[$this->sessionIndex][$index];
        // We don't need this anymore
        unset($_SESSION[$this->sessionIndex][$index]);
        // Which form action="" is this token locked to?
        $lockTo = $_SERVER['REQUEST_URI'];
        if (\preg_match('#/$#', $lockTo)) {
            // Trailing slashes are to be ignored
            $lockTo = substr($lockTo, 0, strlen($lockTo) - 1);
        }
        if (!empty($stored['lockto'])) {
            if (!\hash_equals($lockTo, $stored['lockto'])) {
                // Form target did not match the request this token is locked to!
                return false;
            }
        }
        // This is the expected token value
        if ($this->hmacIP === false) {
            // We just stored it wholesale
            $expected = $stored['token'];
        } else {
            // We mixed in the client IP address to generate the output
            $expected = Base64UrlSafe::encode(CryptoUtil::raw_keyed_hash($_SERVER['REMOTE_ADDR'] ?? '127.0.0.1', Base64UrlSafe::decode($stored['token'])));
        }
        return \hash_equals($token, $expected);
    }

Usage Example

Example #1

Show file

File: Install.php Project: paragonie/airship

 /**
  * Grab post data, but only if the CSRF token is valid
  * 
  * @param bool $ignoreCSRFToken - Don't validate CSRF tokens
  * 
  * @return array|bool
  */
 protected function post(bool $ignoreCSRFToken = false)
 {
     if (empty($_POST)) {
         return false;
     }
     if ($ignoreCSRFToken) {
         return $_POST;
     }
     if ($this->csrf->check()) {
         return $_POST;
     }
     return false;
 }

CSRF

__construct

check

generateToken

getTokenString

insertToken

reconfigure

recycleTokens