ILIAS  release_5-1 Revision 5.0.0-5477-g43f3e3fab5f
Public Member Functions | Protected Member Functions | Protected Attributes
Slim_Http_CookieJar Class Reference

Slim - a micro PHP 5 framework. More...

+ Collaboration diagram for Slim_Http_CookieJar:

Public Member Functions

 __construct ( $secret, $config=null)
 Constructor. More...
 
 getHighConfidentiality ()
 Get the high confidentiality mode. More...
 
 setHighConfidentiality ( $enable)
 Enable or disable cookie data encryption. More...
 
 getSSL ()
 Get the SSL status (enabled or disabled?) More...
 
 setSSL ( $enable)
 Enable SSL support (not enabled by default) More...
 
 getResponseCookies ()
 Get Cookies for Response. More...
 
 getResponseCookie ( $cookiename)
 Get Cookie with name for Response. More...
 
 setCookie ( $cookiename, $value, $username, $expire=0, $path='/', $domain='', $secure=false, $httponly=null)
 Set a secure cookie. More...
 
 deleteCookie ( $name, $path='/', $domain='', $secure=false, $httponly=null)
 Delete a cookie. More...
 
 getCookieValue ( $cookiename, $deleteIfInvalid=true)
 Get a secure cookie value. More...
 
 setClassicCookie ( $cookiename, $value, $expire=0, $path='/', $domain='', $secure=false, $httponly=null)
 Send a classic (unsecure) cookie. More...
 
 cookieExists ($cookiename)
 Verify if a cookie exists. More...
 

Protected Member Functions

 _secureCookieValue ( $value, $username, $expire)
 Secure a cookie value. More...
 
 _encrypt ( $data, $key, $iv)
 Encrypt a given data with a given key and a given initialisation vector. More...
 
 _decrypt ( $data, $key, $iv)
 Decrypt a given data with a given key and a given initialisation vector. More...
 
 _validateIv ($iv)
 Validate Initialization vector. More...
 
 _validateKey ($key)
 Validate key. More...
 

Protected Attributes

 $_secret = ''
 
 $_algorithm = MCRYPT_RIJNDAEL_256
 
 $_mode = MCRYPT_MODE_CBC
 
 $_cryptModule = null
 
 $_highConfidentiality = true
 
 $_ssl = false
 
 $_cookies = array()
 

Detailed Description

Slim - a micro PHP 5 framework.

Author
Josh Lockhart info@.nosp@m.josh.nosp@m.lockh.nosp@m.art..nosp@m.com
Copyright
2011 Josh Lockhart http://www.slimframework.com/license 1.5.0 MIT LICENSE Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Cooke Jar Used to manage signed, encrypted Cookies. Provides: Cookie integrity and authenticity with HMACConfidentiality with symmetric encryptionProtection from replay attack if using SSL or TLSProtection from interception if using SSL or TLS This code was originally called "BigOrNot_CookieManager" and written by Matthieu Huguet released under "CopyLeft" license. I have cleaned up the code formatting to conform with Slim Framework contributor guidelines and added additional code where necessary to play nice with Slim Cookie objects. Requirements: libmcrypt > 2.4.x Matthies Huguet http://bigornot.blogspot.com/2008/06/security-cookies-and-rest.html

Definition at line 54 of file CookieJar.php.

Constructor & Destructor Documentation

◆ __construct()

Slim_Http_CookieJar::__construct (   $secret,
  $config = null 
)

Constructor.

Initialize cookie manager and mcrypt module.

Parameters
string$secretServer's secret key
array$config
Exceptions
ExceptionIf secret key is empty
ExceptionIf unable to open mcypt module

Definition at line 101 of file CookieJar.php.

101  {
102  if ( empty($secret) ) {
103  throw new Exception('You must provide a secret key');
104  }
105  $this->_secret = $secret;
106  if ( $config !== null && !is_array($config) ) {
107  throw new Exception('Config must be an array');
108  }
109  if ( is_array($config) ) {
110  if ( isset($config['high_confidentiality']) ) {
111  $this->_highConfidentiality = $config['high_confidentiality'];
112  }
113  if ( isset($config['mcrypt_algorithm']) ) {
114  $this->_algorithm = $config['mcrypt_algorithm'];
115  }
116  if ( isset($config['mcrypt_mode']) ) {
117  $this->_mode = $config['mcrypt_mode'];
118  }
119  if ( isset($config['enable_ssl']) ) {
120  $this->_ssl = $config['enable_ssl'];
121  }
122  }
123  if ( extension_loaded('mcrypt') ) {
124  $this->_cryptModule = mcrypt_module_open($this->_algorithm, '', $this->_mode, '');
125  if ( $this->_cryptModule === false ) {
126  throw new Exception('Error while loading mcrypt module');
127  }
128  }
129  }

Member Function Documentation

◆ _decrypt()

Slim_Http_CookieJar::_decrypt (   $data,
  $key,
  $iv 
)
protected

Decrypt a given data with a given key and a given initialisation vector.

Parameters
string$dataData to crypt
string$keySecret key
string$ivInitialisation vector
Returns
string Encrypted data

Definition at line 359 of file CookieJar.php.

References $data, $res, _validateIv(), and _validateKey().

Referenced by getCookieValue().

359  {
360  $iv = $this->_validateIv($iv);
361  $key = $this->_validateKey($key);
362  mcrypt_generic_init($this->_cryptModule, $key, $iv);
363  $decryptedData = mdecrypt_generic($this->_cryptModule, $data);
364  $res = str_replace("\x0", '', $decryptedData);
365  mcrypt_generic_deinit($this->_cryptModule);
366  return $res;
367  }
Slim_Http_CookieJar\_validateKey
_validateKey($key)
Validate key.
Definition: CookieJar.php:393
Slim_Http_CookieJar\_validateIv
_validateIv($iv)
Validate Initialization vector.
Definition: CookieJar.php:377
$data
$data
Definition: example_011.php:126
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _encrypt()

Slim_Http_CookieJar::_encrypt (   $data,
  $key,
  $iv 
)
protected

Encrypt a given data with a given key and a given initialisation vector.

Parameters
string$dataData to crypt
string$keySecret key
string$ivInitialisation vector
Returns
string Encrypted data

Definition at line 342 of file CookieJar.php.

References $data, $res, _validateIv(), and _validateKey().

Referenced by _secureCookieValue().

342  {
343  $iv = $this->_validateIv($iv);
344  $key = $this->_validateKey($key);
345  mcrypt_generic_init($this->_cryptModule, $key, $iv);
346  $res = @mcrypt_generic($this->_cryptModule, $data);
347  mcrypt_generic_deinit($this->_cryptModule);
348  return $res;
349  }
Slim_Http_CookieJar\_validateKey
_validateKey($key)
Validate key.
Definition: CookieJar.php:393
Slim_Http_CookieJar\_validateIv
_validateIv($iv)
Validate Initialization vector.
Definition: CookieJar.php:377
$data
$data
Definition: example_011.php:126
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _secureCookieValue()

Slim_Http_CookieJar::_secureCookieValue (   $value,
  $username,
  $expire 
)
protected

Secure a cookie value.

The initial value is transformed with this protocol:

secureValue = username|expire|base64((value)k,expire)|HMAC(user|expire|value,k) where k = HMAC(user|expire, sk) and sk is server's secret key (value)k,md5(expire) is the result an cryptographic function (ex: AES256) on "value" with key k and initialisation vector = md5(expire)

Parameters
string$valueUnsecure value
string$usernameUser identifier
integer$expireExpiration time
Returns
string Secured value

Definition at line 315 of file CookieJar.php.

References $_SERVER, $result, _encrypt(), and getHighConfidentiality().

Referenced by setCookie().

315  {
316  if ( is_string($expire) ) {
317  $expire = strtotime($expire);
318  }
319  $key = hash_hmac('sha1', $username . $expire, $this->_secret);
320  if ( $value !== '' && $this->getHighConfidentiality() ) {
321  $encryptedValue = base64_encode($this->_encrypt($value, $key, md5($expire)));
322  } else {
323  $encryptedValue = base64_encode($value);
324  }
325  if ( $this->_ssl && isset($_SERVER['SSL_SESSION_ID']) ) {
326  $verifKey = hash_hmac('sha1', $username . $expire . $value . $_SERVER['SSL_SESSION_ID'], $key);
327  } else {
328  $verifKey = hash_hmac('sha1', $username . $expire . $value, $key);
329  }
330  $result = array($username, $expire, $encryptedValue, $verifKey);
331  return implode('|', $result);
332  }
$_SERVER
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']
Definition: tcpdf_autoconfig.php:54
$result
$result
Definition: CleanUpTest.php:407
Slim_Http_CookieJar\getHighConfidentiality
getHighConfidentiality()
Get the high confidentiality mode.
Definition: CookieJar.php:136
Slim_Http_CookieJar\_encrypt
_encrypt( $data, $key, $iv)
Encrypt a given data with a given key and a given initialisation vector.
Definition: CookieJar.php:342
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _validateIv()

Slim_Http_CookieJar::_validateIv (   $iv)
protected

Validate Initialization vector.

If given IV is too long for the selected mcrypt algorithm, it will be truncated

Parameters
string$ivInitialization vector
Returns
string

Definition at line 377 of file CookieJar.php.

Referenced by _decrypt(), and _encrypt().

377  {
378  $ivSize = mcrypt_enc_get_iv_size($this->_cryptModule);
379  if ( strlen($iv) > $ivSize ) {
380  $iv = substr($iv, 0, $ivSize);
381  }
382  return $iv;
383  }
+ Here is the caller graph for this function:

◆ _validateKey()

Slim_Http_CookieJar::_validateKey (   $key)
protected

Validate key.

If given key is too long for the selected mcrypt algorithm, it will be truncated

Parameters
string$keykey
string

Definition at line 393 of file CookieJar.php.

Referenced by _decrypt(), and _encrypt().

393  {
394  $keySize = mcrypt_enc_get_key_size($this->_cryptModule);
395  if ( strlen($key) > $keySize ) {
396  $key = substr($key, 0, $keySize);
397  }
398  return $key;
399  }
+ Here is the caller graph for this function:

◆ cookieExists()

Slim_Http_CookieJar::cookieExists (   $cookiename)

Verify if a cookie exists.

Parameters
string$cookiename
Returns
bool TRUE if cookie exist, or FALSE if not

Definition at line 296 of file CookieJar.php.

References $_COOKIE.

Referenced by getCookieValue().

296  {
297  return isset($_COOKIE[$cookiename]);
298  }
$_COOKIE
$_COOKIE["ilClientId"]
Definition: cron.php:11
+ Here is the caller graph for this function:

◆ deleteCookie()

Slim_Http_CookieJar::deleteCookie (   $name,
  $path = '/',
  $domain = '',
  $secure = false,
  $httponly = null 
)

Delete a cookie.

Parameters
string$nameCookie name
string$pathCookie path
string$domainCookie domain
bool$secureWhen TRUE, send the cookie only on a secure connection
bool$httponlyWhen TRUE the cookie will be made accessible only through the HTTP protocol

Definition at line 221 of file CookieJar.php.

References $path.

Referenced by getCookieValue().

221  {
222  $expire = 315554400; /* 1980-01-01 */
223  $this->_cookies[$name] = new Slim_Http_Cookie($name, '', $expire, $path, $domain, $secure, $httponly);
224  //setcookie($name, '', $expire, $path, $domain, $secure, $httponly);
225  }
Slim_Http_Cookie
Definition: Cookie.php:42
$path
$path
Definition: index.php:22
+ Here is the caller graph for this function:

◆ getCookieValue()

Slim_Http_CookieJar::getCookieValue (   $cookiename,
  $deleteIfInvalid = true 
)

Get a secure cookie value.

Verify the integrity of cookie data and decrypt it. If the cookie is invalid, it can be automatically destroyed (default behaviour)

Parameters
string$cookienameCookie name
bool$deleteDestroy the cookie if invalid?
Returns
string|false The Cookie value, or FALSE if Cookie invalid

Definition at line 237 of file CookieJar.php.

References $_COOKIE, $_SERVER, $data, _decrypt(), cookieExists(), deleteCookie(), and getHighConfidentiality().

237  {
238  if ( $this->cookieExists($cookiename) ) {
239  if ( extension_loaded('mcrypt') ) {
240  $cookieValues = explode('|', $_COOKIE[$cookiename]);
241  if ( (count($cookieValues) === 4) && ($cookieValues[1] == 0 || $cookieValues[1] >= time()) ) {
242  $key = hash_hmac('sha1', $cookieValues[0] . $cookieValues[1], $this->_secret);
243  $cookieData = base64_decode($cookieValues[2]);
244  if ( $cookieData !== '' && $this->getHighConfidentiality() ) {
245  $data = $this->_decrypt($cookieData, $key, md5($cookieValues[1]));
246  } else {
247  $data = $cookieData;
248  }
249  if ( $this->_ssl && isset($_SERVER['SSL_SESSION_ID']) ) {
250  $verifKey = hash_hmac('sha1', $cookieValues[0] . $cookieValues[1] . $data . $_SERVER['SSL_SESSION_ID'], $key);
251  } else {
252  $verifKey = hash_hmac('sha1', $cookieValues[0] . $cookieValues[1] . $data, $key);
253  }
254  if ( $verifKey == $cookieValues[3] ) {
255  return $data;
256  }
257  }
258  } else {
259  return $_COOKIE[$cookiename];
260  }
261  }
262  if ( $deleteIfInvalid ) {
263  $this->deleteCookie($cookiename);
264  }
265  return false;
266  }
Slim_Http_CookieJar\cookieExists
cookieExists($cookiename)
Verify if a cookie exists.
Definition: CookieJar.php:296
$_SERVER
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']
Definition: tcpdf_autoconfig.php:54
Slim_Http_CookieJar\deleteCookie
deleteCookie( $name, $path='/', $domain='', $secure=false, $httponly=null)
Delete a cookie.
Definition: CookieJar.php:221
Slim_Http_CookieJar\getHighConfidentiality
getHighConfidentiality()
Get the high confidentiality mode.
Definition: CookieJar.php:136
$_COOKIE
$_COOKIE["ilClientId"]
Definition: cron.php:11
$data
$data
Definition: example_011.php:126
Slim_Http_CookieJar\_decrypt
_decrypt( $data, $key, $iv)
Decrypt a given data with a given key and a given initialisation vector.
Definition: CookieJar.php:359
+ Here is the call graph for this function:

◆ getHighConfidentiality()

Slim_Http_CookieJar::getHighConfidentiality ( )

Get the high confidentiality mode.

Returns
bool TRUE if cookie data encryption is enabled, or FALSE if it isn't

Definition at line 136 of file CookieJar.php.

References $_highConfidentiality.

Referenced by _secureCookieValue(), and getCookieValue().

136  {
137  return $this->_highConfidentiality;
138  }
Slim_Http_CookieJar\$_highConfidentiality
$_highConfidentiality
Definition: CookieJar.php:79
+ Here is the caller graph for this function:

◆ getResponseCookie()

Slim_Http_CookieJar::getResponseCookie (   $cookiename)

Get Cookie with name for Response.

Author
Josh Lockhart info@.nosp@m.josh.nosp@m.lockh.nosp@m.art..nosp@m.com
Parameters
string$cookienameThe name of the Cookie
Returns
Cookie|null Cookie, or NULL if Cookie with name not found

Definition at line 191 of file CookieJar.php.

191  {
192  return isset($this->_cookies[$cookiename]) ? $this->_cookies[$cookiename] : null;
193  }

◆ getResponseCookies()

Slim_Http_CookieJar::getResponseCookies ( )

Get Cookies for Response.

Author
Josh Lockhart info@.nosp@m.josh.nosp@m.lockh.nosp@m.art..nosp@m.com
Returns
array[Cookie]

Definition at line 180 of file CookieJar.php.

References $_cookies.

180  {
181  return $this->_cookies;
182  }
Slim_Http_CookieJar\$_cookies
$_cookies
Definition: CookieJar.php:89

◆ getSSL()

Slim_Http_CookieJar::getSSL ( )

Get the SSL status (enabled or disabled?)

Returns
bool TRUE if SSL support is enabled, or FALSE if it isn't

Definition at line 156 of file CookieJar.php.

References $_ssl.

156  {
157  return $this->_ssl;
158  }
Slim_Http_CookieJar\$_ssl
$_ssl
Definition: CookieJar.php:84

◆ setClassicCookie()

Slim_Http_CookieJar::setClassicCookie (   $cookiename,
  $value,
  $expire = 0,
  $path = '/',
  $domain = '',
  $secure = false,
  $httponly = null 
)

Send a classic (unsecure) cookie.

Parameters
string$nameCookie name
string$valueCookie value
integer$expireExpiration time
string$pathCookie path
string$domainCookie domain
bool$secureWhen TRUE, send the cookie only on a secure connection
bool$httponlyWhen TRUE the cookie will be made accessible only through the HTTP protocol

Definition at line 279 of file CookieJar.php.

References $path.

Referenced by setCookie().

279  {
280  /* httponly option is only available for PHP version >= 5.2 */
281  if ( $httponly === null ) {
282  $this->_cookies[$cookiename] = new Slim_Http_Cookie($cookiename, $value, $expire, $path, $domain, $secure);
283  //setcookie($cookiename, $value, $expire, $path, $domain, $secure);
284  } else {
285  $this->_cookies[$cookiename] = new Slim_Http_Cookie($cookiename, $value, $expire, $path, $domain, $secure, $httponly);
286  //setcookie($cookiename, $value, $expire, $path, $domain, $secure, $httponly);
287  }
288  }
Slim_Http_Cookie
Definition: Cookie.php:42
$path
$path
Definition: index.php:22
+ Here is the caller graph for this function:

◆ setCookie()

Slim_Http_CookieJar::setCookie (   $cookiename,
  $value,
  $username,
  $expire = 0,
  $path = '/',
  $domain = '',
  $secure = false,
  $httponly = null 
)

Set a secure cookie.

Parameters
string$nameCookie name
string$valueCookie value
string$usernameUser identifier
integer$expireExpiration time
string$pathCookie path
string$domainCookie domain
bool$secureWhen TRUE, send the cookie only on a secure connection
bool$httponlyWhen TRUE the cookie will be made accessible only through the HTTP protocol

Definition at line 207 of file CookieJar.php.

References $path, _secureCookieValue(), and setClassicCookie().

207  {
208  $secureValue = extension_loaded('mcrypt') ? $this->_secureCookieValue($value, $username, $expire) : $value;
209  $this->setClassicCookie($cookiename, $secureValue, $expire, $path, $domain, $secure, $httponly);
210  }
Slim_Http_CookieJar\_secureCookieValue
_secureCookieValue( $value, $username, $expire)
Secure a cookie value.
Definition: CookieJar.php:315
Slim_Http_CookieJar\setClassicCookie
setClassicCookie( $cookiename, $value, $expire=0, $path='/', $domain='', $secure=false, $httponly=null)
Send a classic (unsecure) cookie.
Definition: CookieJar.php:279
$path
$path
Definition: index.php:22
+ Here is the call graph for this function:

◆ setHighConfidentiality()

Slim_Http_CookieJar::setHighConfidentiality (   $enable)

Enable or disable cookie data encryption.

Parameters
bool$enableTRUE to enable, FALSE to disable
Returns
CookieJar

Definition at line 146 of file CookieJar.php.

146  {
147  $this->_highConfidentiality = (bool)$enable;
148  return $this;
149  }

◆ setSSL()

Slim_Http_CookieJar::setSSL (   $enable)

Enable SSL support (not enabled by default)

Pro: Protect against replay attack Con: Cookie's lifetime is limited to SSL session's lifetime

Parameters
bool$enableTRUE to enable, FALSE to disable
Returns
CookieJar

Definition at line 169 of file CookieJar.php.

169  {
170  $this->_ssl = (bool)$enable;
171  return $this;
172  }

Field Documentation

◆ $_algorithm

Slim_Http_CookieJar::$_algorithm = MCRYPT_RIJNDAEL_256
protected

Definition at line 64 of file CookieJar.php.

◆ $_cookies

Slim_Http_CookieJar::$_cookies = array()
protected

Definition at line 89 of file CookieJar.php.

Referenced by getResponseCookies().

◆ $_cryptModule

Slim_Http_CookieJar::$_cryptModule = null
protected

Definition at line 74 of file CookieJar.php.

◆ $_highConfidentiality

Slim_Http_CookieJar::$_highConfidentiality = true
protected

Definition at line 79 of file CookieJar.php.

Referenced by getHighConfidentiality().

◆ $_mode

Slim_Http_CookieJar::$_mode = MCRYPT_MODE_CBC
protected

Definition at line 69 of file CookieJar.php.

◆ $_secret

Slim_Http_CookieJar::$_secret = ''
protected

Definition at line 59 of file CookieJar.php.

◆ $_ssl

Slim_Http_CookieJar::$_ssl = false
protected

Definition at line 84 of file CookieJar.php.

Referenced by getSSL().

The documentation for this class was generated from the following file: