ILIAS  Release_4_3_x_branch Revision 61807
 All Data Structures Namespaces Files Functions Variables Groups Pages
Public Member Functions | Protected Member Functions | Protected Attributes
Slim_Http_CookieJar Class Reference

Slim - a micro PHP 5 framework. More...

+ Collaboration diagram for Slim_Http_CookieJar:

Public Member Functions

 __construct ($secret, $config=null)
 Constructor.
 getHighConfidentiality ()
 Get the high confidentiality mode.
 setHighConfidentiality ($enable)
 Enable or disable cookie data encryption.
 getSSL ()
 Get the SSL status (enabled or disabled?)
 setSSL ($enable)
 Enable SSL support (not enabled by default)
 getResponseCookies ()
 Get Cookies for Response.
 getResponseCookie ($cookiename)
 Get Cookie with name for Response.
 setCookie ($cookiename, $value, $username, $expire=0, $path= '/', $domain= '', $secure=false, $httponly=null)
 Set a secure cookie.
 deleteCookie ($name, $path= '/', $domain= '', $secure=false, $httponly=null)
 Delete a cookie.
 getCookieValue ($cookiename, $deleteIfInvalid=true)
 Get a secure cookie value.
 setClassicCookie ($cookiename, $value, $expire=0, $path= '/', $domain= '', $secure=false, $httponly=null)
 Send a classic (unsecure) cookie.
 cookieExists ($cookiename)
 Verify if a cookie exists.

Protected Member Functions

 _secureCookieValue ($value, $username, $expire)
 Secure a cookie value.
 _encrypt ($data, $key, $iv)
 Encrypt a given data with a given key and a given initialisation vector.
 _decrypt ($data, $key, $iv)
 Decrypt a given data with a given key and a given initialisation vector.
 _validateIv ($iv)
 Validate Initialization vector.
 _validateKey ($key)
 Validate key.

Protected Attributes

 $_secret = ''
 $_algorithm = MCRYPT_RIJNDAEL_256
 $_mode = MCRYPT_MODE_CBC
 $_cryptModule = null
 $_highConfidentiality = true
 $_ssl = false
 $_cookies = array()

Detailed Description

Slim - a micro PHP 5 framework.

Author
Josh Lockhart info@.nosp@m.josh.nosp@m.lockh.nosp@m.art..nosp@m.com
Copyright
2011 Josh Lockhart http://www.slimframework.com/license 1.5.0 MIT LICENSE Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Cooke Jar Used to manage signed, encrypted Cookies. Provides: Cookie integrity and authenticity with HMACConfidentiality with symmetric encryptionProtection from replay attack if using SSL or TLSProtection from interception if using SSL or TLS This code was originally called "BigOrNot_CookieManager" and written by Matthieu Huguet released under "CopyLeft" license. I have cleaned up the code formatting to conform with Slim Framework contributor guidelines and added additional code where necessary to play nice with Slim Cookie objects. Requirements: libmcrypt > 2.4.x Matthies Huguet http://bigornot.blogspot.com/2008/06/security-cookies-and-rest.html

Definition at line 54 of file CookieJar.php.

Constructor & Destructor Documentation

Slim_Http_CookieJar::__construct (   $secret,
  $config = null 
)

Constructor.

Initialize cookie manager and mcrypt module.

Parameters
string$secretServer's secret key
array$config
Exceptions
ExceptionIf secret key is empty
ExceptionIf unable to open mcypt module

Definition at line 101 of file CookieJar.php.

{
if ( empty($secret) ) {
throw new Exception('You must provide a secret key');
}
$this->_secret = $secret;
if ( $config !== null && !is_array($config) ) {
throw new Exception('Config must be an array');
}
if ( is_array($config) ) {
if ( isset($config['high_confidentiality']) ) {
$this->_highConfidentiality = $config['high_confidentiality'];
}
if ( isset($config['mcrypt_algorithm']) ) {
$this->_algorithm = $config['mcrypt_algorithm'];
}
if ( isset($config['mcrypt_mode']) ) {
$this->_mode = $config['mcrypt_mode'];
}
if ( isset($config['enable_ssl']) ) {
$this->_ssl = $config['enable_ssl'];
}
}
if ( extension_loaded('mcrypt') ) {
$this->_cryptModule = mcrypt_module_open($this->_algorithm, '', $this->_mode, '');
if ( $this->_cryptModule === false ) {
throw new Exception('Error while loading mcrypt module');
}
}
}

Member Function Documentation

Slim_Http_CookieJar::_decrypt (   $data,
  $key,
  $iv 
)
protected

Decrypt a given data with a given key and a given initialisation vector.

Parameters
string$dataData to crypt
string$keySecret key
string$ivInitialisation vector
Returns
string Encrypted data

Definition at line 359 of file CookieJar.php.

References $data, $res, _validateIv(), and _validateKey().

Referenced by getCookieValue().

{
$iv = $this->_validateIv($iv);
$key = $this->_validateKey($key);
mcrypt_generic_init($this->_cryptModule, $key, $iv);
$decryptedData = mdecrypt_generic($this->_cryptModule, $data);
$res = str_replace("\x0", '', $decryptedData);
mcrypt_generic_deinit($this->_cryptModule);
return $res;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

Slim_Http_CookieJar::_encrypt (   $data,
  $key,
  $iv 
)
protected

Encrypt a given data with a given key and a given initialisation vector.

Parameters
string$dataData to crypt
string$keySecret key
string$ivInitialisation vector
Returns
string Encrypted data

Definition at line 342 of file CookieJar.php.

References $data, $res, _validateIv(), and _validateKey().

Referenced by _secureCookieValue().

{
$iv = $this->_validateIv($iv);
$key = $this->_validateKey($key);
mcrypt_generic_init($this->_cryptModule, $key, $iv);
$res = @mcrypt_generic($this->_cryptModule, $data);
mcrypt_generic_deinit($this->_cryptModule);
return $res;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

Slim_Http_CookieJar::_secureCookieValue (   $value,
  $username,
  $expire 
)
protected

Secure a cookie value.

The initial value is transformed with this protocol:

secureValue = username|expire|base64((value)k,expire)|HMAC(user|expire|value,k) where k = HMAC(user|expire, sk) and sk is server's secret key (value)k,md5(expire) is the result an cryptographic function (ex: AES256) on "value" with key k and initialisation vector = md5(expire)

Parameters
string$valueUnsecure value
string$usernameUser identifier
integer$expireExpiration time
Returns
string Secured value

Definition at line 315 of file CookieJar.php.

References $result, _encrypt(), and getHighConfidentiality().

Referenced by setCookie().

{
if ( is_string($expire) ) {
$expire = strtotime($expire);
}
$key = hash_hmac('sha1', $username . $expire, $this->_secret);
if ( $value !== '' && $this->getHighConfidentiality() ) {
$encryptedValue = base64_encode($this->_encrypt($value, $key, md5($expire)));
} else {
$encryptedValue = base64_encode($value);
}
if ( $this->_ssl && isset($_SERVER['SSL_SESSION_ID']) ) {
$verifKey = hash_hmac('sha1', $username . $expire . $value . $_SERVER['SSL_SESSION_ID'], $key);
} else {
$verifKey = hash_hmac('sha1', $username . $expire . $value, $key);
}
$result = array($username, $expire, $encryptedValue, $verifKey);
return implode('|', $result);
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

Slim_Http_CookieJar::_validateIv (   $iv)
protected

Validate Initialization vector.

If given IV is too long for the selected mcrypt algorithm, it will be truncated

Parameters
string$ivInitialization vector
Returns
string

Definition at line 377 of file CookieJar.php.

Referenced by _decrypt(), and _encrypt().

{
$ivSize = mcrypt_enc_get_iv_size($this->_cryptModule);
if ( strlen($iv) > $ivSize ) {
$iv = substr($iv, 0, $ivSize);
}
return $iv;
}

+ Here is the caller graph for this function:

Slim_Http_CookieJar::_validateKey (   $key)
protected

Validate key.

If given key is too long for the selected mcrypt algorithm, it will be truncated

Parameters
string$keykey
string

Definition at line 393 of file CookieJar.php.

Referenced by _decrypt(), and _encrypt().

{
$keySize = mcrypt_enc_get_key_size($this->_cryptModule);
if ( strlen($key) > $keySize ) {
$key = substr($key, 0, $keySize);
}
return $key;
}

+ Here is the caller graph for this function:

Slim_Http_CookieJar::cookieExists (   $cookiename)

Verify if a cookie exists.

Parameters
string$cookiename
Returns
bool TRUE if cookie exist, or FALSE if not

Definition at line 296 of file CookieJar.php.

References $_COOKIE.

Referenced by getCookieValue().

{
return isset($_COOKIE[$cookiename]);
}

+ Here is the caller graph for this function:

Slim_Http_CookieJar::deleteCookie (   $name,
  $path = '/',
  $domain = '',
  $secure = false,
  $httponly = null 
)

Delete a cookie.

Parameters
string$nameCookie name
string$pathCookie path
string$domainCookie domain
bool$secureWhen TRUE, send the cookie only on a secure connection
bool$httponlyWhen TRUE the cookie will be made accessible only through the HTTP protocol

Definition at line 221 of file CookieJar.php.

References $path.

Referenced by getCookieValue().

{
$expire = 315554400; /* 1980-01-01 */
$this->_cookies[$name] = new Slim_Http_Cookie($name, '', $expire, $path, $domain, $secure, $httponly);
//setcookie($name, '', $expire, $path, $domain, $secure, $httponly);
}

+ Here is the caller graph for this function:

Slim_Http_CookieJar::getCookieValue (   $cookiename,
  $deleteIfInvalid = true 
)

Get a secure cookie value.

Verify the integrity of cookie data and decrypt it. If the cookie is invalid, it can be automatically destroyed (default behaviour)

Parameters
string$cookienameCookie name
bool$deleteDestroy the cookie if invalid?
Returns
string|false The Cookie value, or FALSE if Cookie invalid

Definition at line 237 of file CookieJar.php.

References $_COOKIE, $data, _decrypt(), cookieExists(), deleteCookie(), and getHighConfidentiality().

{
if ( $this->cookieExists($cookiename) ) {
if ( extension_loaded('mcrypt') ) {
$cookieValues = explode('|', $_COOKIE[$cookiename]);
if ( (count($cookieValues) === 4) && ($cookieValues[1] == 0 || $cookieValues[1] >= time()) ) {
$key = hash_hmac('sha1', $cookieValues[0] . $cookieValues[1], $this->_secret);
$cookieData = base64_decode($cookieValues[2]);
if ( $cookieData !== '' && $this->getHighConfidentiality() ) {
$data = $this->_decrypt($cookieData, $key, md5($cookieValues[1]));
} else {
$data = $cookieData;
}
if ( $this->_ssl && isset($_SERVER['SSL_SESSION_ID']) ) {
$verifKey = hash_hmac('sha1', $cookieValues[0] . $cookieValues[1] . $data . $_SERVER['SSL_SESSION_ID'], $key);
} else {
$verifKey = hash_hmac('sha1', $cookieValues[0] . $cookieValues[1] . $data, $key);
}
if ( $verifKey == $cookieValues[3] ) {
return $data;
}
}
} else {
return $_COOKIE[$cookiename];
}
}
if ( $deleteIfInvalid ) {
$this->deleteCookie($cookiename);
}
return false;
}

+ Here is the call graph for this function:

Slim_Http_CookieJar::getHighConfidentiality ( )

Get the high confidentiality mode.

Returns
bool TRUE if cookie data encryption is enabled, or FALSE if it isn't

Definition at line 136 of file CookieJar.php.

References $_highConfidentiality.

Referenced by _secureCookieValue(), and getCookieValue().

{
return $this->_highConfidentiality;
}

+ Here is the caller graph for this function:

Slim_Http_CookieJar::getResponseCookie (   $cookiename)

Get Cookie with name for Response.

Author
Josh Lockhart info@.nosp@m.josh.nosp@m.lockh.nosp@m.art..nosp@m.com
Parameters
string$cookienameThe name of the Cookie
Returns
Cookie|null Cookie, or NULL if Cookie with name not found

Definition at line 191 of file CookieJar.php.

{
return isset($this->_cookies[$cookiename]) ? $this->_cookies[$cookiename] : null;
}
Slim_Http_CookieJar::getResponseCookies ( )

Get Cookies for Response.

Author
Josh Lockhart info@.nosp@m.josh.nosp@m.lockh.nosp@m.art..nosp@m.com
Returns
array[Cookie]

Definition at line 180 of file CookieJar.php.

References $_cookies.

{
return $this->_cookies;
}
Slim_Http_CookieJar::getSSL ( )

Get the SSL status (enabled or disabled?)

Returns
bool TRUE if SSL support is enabled, or FALSE if it isn't

Definition at line 156 of file CookieJar.php.

References $_ssl.

{
return $this->_ssl;
}
Slim_Http_CookieJar::setClassicCookie (   $cookiename,
  $value,
  $expire = 0,
  $path = '/',
  $domain = '',
  $secure = false,
  $httponly = null 
)

Send a classic (unsecure) cookie.

Parameters
string$nameCookie name
string$valueCookie value
integer$expireExpiration time
string$pathCookie path
string$domainCookie domain
bool$secureWhen TRUE, send the cookie only on a secure connection
bool$httponlyWhen TRUE the cookie will be made accessible only through the HTTP protocol

Definition at line 279 of file CookieJar.php.

References $path.

Referenced by setCookie().

{
/* httponly option is only available for PHP version >= 5.2 */
if ( $httponly === null ) {
$this->_cookies[$cookiename] = new Slim_Http_Cookie($cookiename, $value, $expire, $path, $domain, $secure);
//setcookie($cookiename, $value, $expire, $path, $domain, $secure);
} else {
$this->_cookies[$cookiename] = new Slim_Http_Cookie($cookiename, $value, $expire, $path, $domain, $secure, $httponly);
//setcookie($cookiename, $value, $expire, $path, $domain, $secure, $httponly);
}
}

+ Here is the caller graph for this function:

Slim_Http_CookieJar::setCookie (   $cookiename,
  $value,
  $username,
  $expire = 0,
  $path = '/',
  $domain = '',
  $secure = false,
  $httponly = null 
)

Set a secure cookie.

Parameters
string$nameCookie name
string$valueCookie value
string$usernameUser identifier
integer$expireExpiration time
string$pathCookie path
string$domainCookie domain
bool$secureWhen TRUE, send the cookie only on a secure connection
bool$httponlyWhen TRUE the cookie will be made accessible only through the HTTP protocol

Definition at line 207 of file CookieJar.php.

References $path, _secureCookieValue(), and setClassicCookie().

{
$secureValue = extension_loaded('mcrypt') ? $this->_secureCookieValue($value, $username, $expire) : $value;
$this->setClassicCookie($cookiename, $secureValue, $expire, $path, $domain, $secure, $httponly);
}

+ Here is the call graph for this function:

Slim_Http_CookieJar::setHighConfidentiality (   $enable)

Enable or disable cookie data encryption.

Parameters
bool$enableTRUE to enable, FALSE to disable
Returns
CookieJar

Definition at line 146 of file CookieJar.php.

{
$this->_highConfidentiality = (bool)$enable;
return $this;
}
Slim_Http_CookieJar::setSSL (   $enable)

Enable SSL support (not enabled by default)

Pro: Protect against replay attack Con: Cookie's lifetime is limited to SSL session's lifetime

Parameters
bool$enableTRUE to enable, FALSE to disable
Returns
CookieJar

Definition at line 169 of file CookieJar.php.

{
$this->_ssl = (bool)$enable;
return $this;
}

Field Documentation

Slim_Http_CookieJar::$_algorithm = MCRYPT_RIJNDAEL_256
protected

Definition at line 64 of file CookieJar.php.

Slim_Http_CookieJar::$_cookies = array()
protected

Definition at line 89 of file CookieJar.php.

Referenced by getResponseCookies().

Slim_Http_CookieJar::$_cryptModule = null
protected

Definition at line 74 of file CookieJar.php.

Slim_Http_CookieJar::$_highConfidentiality = true
protected

Definition at line 79 of file CookieJar.php.

Referenced by getHighConfidentiality().

Slim_Http_CookieJar::$_mode = MCRYPT_MODE_CBC
protected

Definition at line 69 of file CookieJar.php.

Slim_Http_CookieJar::$_secret = ''
protected

Definition at line 59 of file CookieJar.php.

Slim_Http_CookieJar::$_ssl = false
protected

Definition at line 84 of file CookieJar.php.

Referenced by getSSL().

The documentation for this class was generated from the following file: