application/helpers/csrf.php

   1 <?php defined('SYSPATH') OR die('No direct access allowed.');
   2 /**
   3  * CSRF helper class.
   4  */
   5 class csrf_Core {
   6
   7         /**
   8          * Generate new token
   9          * Save token to session together with time for generation
  10          *
  11          * @return str $token
  12          */
  13         public static function token($force = false)
  14         {
  15                 if (($token = csrf::current_token()) === FALSE || $force === true || csrf::current_token_expired() === true) {
  16
  17                         # save token to session
  18                         Session::instance()->set(Kohana::config('csrf.csrf_token'), ($token = text::random('alnum', 41)));
  19
  20                         # save session timestamp to session
  21                         Session::instance()->set(Kohana::config('csrf.csrf_timestamp'), time());
  22                 }
  23
  24                 return $token;
  25         }
  26
  27         /**
  28          * Checks if current token has expired
  29          *
  30          * @return boolean
  31          **/
  32         public static function current_token_expired() {
  33                 if (csrf::current_token() !== false && csrf::current_timestamp() + csrf::lifetime() < time()) {
  34                         return true;
  35                 }
  36                 return false;
  37         }
  38
  39         /**
  40          * Validate token
  41          * @param $token The csrf token
  42          * @return true if validation was successful, false otherwise
  43          */
  44         public static function valid($token)
  45         {
  46                 # not valid if tokens differ or has expired
  47                 if ($token !== csrf::current_token() || csrf::current_token_expired() === true) {
  48                         return false;
  49                 }
  50                 return true;
  51         }
  52
  53         /**
  54          * Return current csrf token
  55          */
  56         public static function current_token()
  57         {
  58                 return Session::instance()->get(Kohana::config('csrf.csrf_token'), false);
  59         }
  60
  61         /**
  62          * Return current csrf timestamp
  63          */
  64         public static function current_timestamp()
  65         {
  66                 return Session::instance()->get(Kohana::config('csrf.csrf_timestamp'), false);
  67         }
  68
  69         /**
  70          * Return lifetime for current csrf token
  71          */
  72         public static function lifetime()
  73         {
  74                 return (int)Kohana::config('csrf.csrf_lifetime');
  75         }
  76
  77         /**
  78          * Return a string representation of a form element with the current CSRF token
  79          * @param $name The name of the form element
  80          */
  81         public static function form_field($name='') {
  82                 if (Kohana::config('csrf.csrf_token')=='' || Kohana::config('csrf.active') === false) {
  83                         return;
  84                 }
  85
  86                 if (empty($name)) $name = Kohana::config('csrf.csrf_token');
  87                 return '<input type="hidden" name="'.$name.'" value="'.self::token(true).'">';
  88         }
  89 }
  90 ?>