public static function init($length = null, $action = null)
{
/*
* if mod_csrfp already enabled, no verification, no filtering
* Already done by mod_csrfp
*/
if (getenv('mod_csrfp_enabled')) {
return;
}
//start session in case its not
if (session_id() == '') {
require_once __DIR__ . "/../../../../../sources/sessions.php";
session_start();
}
/*
* load configuration file and properties
* Check locally for a config.php then check for
* a config/csrf_config.php file in the root folder
* for composer installations
*/
$standard_config_location = __DIR__ . "/../csrfp.config.php";
$composer_config_location = __DIR__ . "/../../../../../config/csrf_config.php";
if (file_exists($standard_config_location)) {
self::$config = (include $standard_config_location);
} elseif (file_exists($composer_config_location)) {
self::$config = (include $composer_config_location);
} else {
throw new configFileNotFoundException("OWASP CSRFProtector: configuration file not found for CSRFProtector!");
}
//overriding length property if passed in parameters
if ($length != null) {
self::$config['tokenLength'] = intval($length);
}
//action that is needed to be taken in case of failed authorisation
if ($action != null) {
self::$config['failedAuthAction'] = $action;
}
if (self::$config['CSRFP_TOKEN'] == '') {
self::$config['CSRFP_TOKEN'] = CSRFP_TOKEN;
}
// Validate the config if everythings filled out
foreach (self::$requiredConfigurations as $value) {
if (!isset(self::$config[$value]) || self::$config[$value] == '') {
throw new incompleteConfigurationException("OWASP CSRFProtector: Incomplete configuration file!");
exit;
}
}
// Authorise the incoming request
self::authorizePost();
// Initialize output buffering handler
ob_start('csrfProtector::ob_handler');
if (!isset($_COOKIE[self::$config['CSRFP_TOKEN']]) || !isset($_SESSION[self::$config['CSRFP_TOKEN']]) || !is_array($_SESSION[self::$config['CSRFP_TOKEN']]) || !in_array($_COOKIE[self::$config['CSRFP_TOKEN']], $_SESSION[self::$config['CSRFP_TOKEN']])) {
self::refreshToken();
}
// Set protected by CSRF Protector header
header('X-CSRF-Protection: OWASP CSRFP 1.0.0');
}