| public static check ( mixed $key, array $options = [] ) : boolean | ||
| $key | mixed | Either the actual key as a string, or a `Request` object containing the key. |
| $options | array | The options to use when matching the key to the token: - `'sessionKey'` _string_: The key used when reading the token from the session. |
| return | boolean | Returns `true` if the hash key is a cryptographic match to the stored session token. Returns `false` on failure, which indicates a forged request attempt. |
public static function check($key, array $options = array())
{
$defaults = array('sessionKey' => 'security.token');
$options += $defaults;
$session = static::$_classes['session'];
if (is_object($key) && isset($key->data)) {
$result = Set::extract($key->data, '/security/token');
$key = $result ? $result[0] : null;
}
return Password::check($session::read($options['sessionKey']), (string) $key);
} protected function _init()
{
parent::_init();
# Check CSRF forgery signature
if ($this->request->data and !RequestToken::check($this->request)) {
throw new \Exception('Invalid request token.');
}
if (isset($this->request->data['security']['token'])) {
unset($this->request->data['security']);
}
# Load active user
$current_identity = Auth::check('any');
if (is_object($current_identity)) {
$u = $current_identity->getUser();
$this->CURRENT_USER = $u;
}
$this->set(array('CURRENT_USER' => $this->CURRENT_USER));
}
