ILIAS  release_5-1 Revision 5.0.0-5477-g43f3e3fab5f
Public Member Functions | Protected Member Functions | Protected Attributes
Slim_Http_CookieJar Class Reference

Slim - a micro PHP 5 framework. More...

+ Collaboration diagram for Slim_Http_CookieJar:

Public Member Functions

 __construct ( $secret, $config=null)
 Constructor. More...
 
 getHighConfidentiality ()
 Get the high confidentiality mode. More...
 
 setHighConfidentiality ( $enable)
 Enable or disable cookie data encryption. More...
 
 getSSL ()
 Get the SSL status (enabled or disabled?) More...
 
 setSSL ( $enable)
 Enable SSL support (not enabled by default) More...
 
 getResponseCookies ()
 Get Cookies for Response. More...
 
 getResponseCookie ( $cookiename)
 Get Cookie with name for Response. More...
 
 setCookie ( $cookiename, $value, $username, $expire=0, $path='/', $domain='', $secure=false, $httponly=null)
 Set a secure cookie. More...
 
 deleteCookie ( $name, $path='/', $domain='', $secure=false, $httponly=null)
 Delete a cookie. More...
 
 getCookieValue ( $cookiename, $deleteIfInvalid=true)
 Get a secure cookie value. More...
 
 setClassicCookie ( $cookiename, $value, $expire=0, $path='/', $domain='', $secure=false, $httponly=null)
 Send a classic (unsecure) cookie. More...
 
 cookieExists ($cookiename)
 Verify if a cookie exists. More...
 

Protected Member Functions

 _secureCookieValue ( $value, $username, $expire)
 Secure a cookie value. More...
 
 _encrypt ( $data, $key, $iv)
 Encrypt a given data with a given key and a given initialisation vector. More...
 
 _decrypt ( $data, $key, $iv)
 Decrypt a given data with a given key and a given initialisation vector. More...
 
 _validateIv ($iv)
 Validate Initialization vector. More...
 
 _validateKey ($key)
 Validate key. More...
 

Protected Attributes

 $_secret = ''
 
 $_algorithm = MCRYPT_RIJNDAEL_256
 
 $_mode = MCRYPT_MODE_CBC
 
 $_cryptModule = null
 
 $_highConfidentiality = true
 
 $_ssl = false
 
 $_cookies = array()
 

Detailed Description

Slim - a micro PHP 5 framework.

Author
Josh Lockhart info@.nosp@m.josh.nosp@m.lockh.nosp@m.art..nosp@m.com
Copyright
2011 Josh Lockhart http://www.slimframework.com/license 1.5.0 MIT LICENSE Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Cooke Jar Used to manage signed, encrypted Cookies. Provides: Cookie integrity and authenticity with HMACConfidentiality with symmetric encryptionProtection from replay attack if using SSL or TLSProtection from interception if using SSL or TLS This code was originally called "BigOrNot_CookieManager" and written by Matthieu Huguet released under "CopyLeft" license. I have cleaned up the code formatting to conform with Slim Framework contributor guidelines and added additional code where necessary to play nice with Slim Cookie objects. Requirements: libmcrypt > 2.4.x Matthies Huguet http://bigornot.blogspot.com/2008/06/security-cookies-and-rest.html

Definition at line 54 of file CookieJar.php.

Constructor & Destructor Documentation

◆ __construct()

Slim_Http_CookieJar::__construct (   $secret,
  $config = null 
)

Constructor.

Initialize cookie manager and mcrypt module.

Parameters
string$secretServer's secret key
array$config
Exceptions
ExceptionIf secret key is empty
ExceptionIf unable to open mcypt module

Definition at line 101 of file CookieJar.php.

101 {
102 if ( empty($secret) ) {
103 throw new Exception('You must provide a secret key');
104 }
105 $this->_secret = $secret;
106 if ( $config !== null && !is_array($config) ) {
107 throw new Exception('Config must be an array');
108 }
109 if ( is_array($config) ) {
110 if ( isset($config['high_confidentiality']) ) {
111 $this->_highConfidentiality = $config['high_confidentiality'];
112 }
113 if ( isset($config['mcrypt_algorithm']) ) {
114 $this->_algorithm = $config['mcrypt_algorithm'];
115 }
116 if ( isset($config['mcrypt_mode']) ) {
117 $this->_mode = $config['mcrypt_mode'];
118 }
119 if ( isset($config['enable_ssl']) ) {
120 $this->_ssl = $config['enable_ssl'];
121 }
122 }
123 if ( extension_loaded('mcrypt') ) {
124 $this->_cryptModule = mcrypt_module_open($this->_algorithm, '', $this->_mode, '');
125 if ( $this->_cryptModule === false ) {
126 throw new Exception('Error while loading mcrypt module');
127 }
128 }
129 }

Member Function Documentation

◆ _decrypt()

Slim_Http_CookieJar::_decrypt (   $data,
  $key,
  $iv 
)
protected

Decrypt a given data with a given key and a given initialisation vector.

Parameters
string$dataData to crypt
string$keySecret key
string$ivInitialisation vector
Returns
string Encrypted data

Definition at line 359 of file CookieJar.php.

359 {
360 $iv = $this->_validateIv($iv);
361 $key = $this->_validateKey($key);
362 mcrypt_generic_init($this->_cryptModule, $key, $iv);
363 $decryptedData = mdecrypt_generic($this->_cryptModule, $data);
364 $res = str_replace("\x0", '', $decryptedData);
365 mcrypt_generic_deinit($this->_cryptModule);
366 return $res;
367 }
Slim_Http_CookieJar\_validateKey
_validateKey($key)
Validate key.
Definition: CookieJar.php:393
Slim_Http_CookieJar\_validateIv
_validateIv($iv)
Validate Initialization vector.
Definition: CookieJar.php:377
$data
$data
Definition: example_011.php:126

References $data, $res, _validateIv(), and _validateKey().

Referenced by getCookieValue().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _encrypt()

Slim_Http_CookieJar::_encrypt (   $data,
  $key,
  $iv 
)
protected

Encrypt a given data with a given key and a given initialisation vector.

Parameters
string$dataData to crypt
string$keySecret key
string$ivInitialisation vector
Returns
string Encrypted data

Definition at line 342 of file CookieJar.php.

342 {
343 $iv = $this->_validateIv($iv);
344 $key = $this->_validateKey($key);
345 mcrypt_generic_init($this->_cryptModule, $key, $iv);
346 $res = @mcrypt_generic($this->_cryptModule, $data);
347 mcrypt_generic_deinit($this->_cryptModule);
348 return $res;
349 }

References $data, $res, _validateIv(), and _validateKey().

Referenced by _secureCookieValue().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _secureCookieValue()

Slim_Http_CookieJar::_secureCookieValue (   $value,
  $username,
  $expire 
)
protected

Secure a cookie value.

The initial value is transformed with this protocol:

secureValue = username|expire|base64((value)k,expire)|HMAC(user|expire|value,k) where k = HMAC(user|expire, sk) and sk is server's secret key (value)k,md5(expire) is the result an cryptographic function (ex: AES256) on "value" with key k and initialisation vector = md5(expire)

Parameters
string$valueUnsecure value
string$usernameUser identifier
integer$expireExpiration time
Returns
string Secured value

Definition at line 315 of file CookieJar.php.

315 {
316 if ( is_string($expire) ) {
317 $expire = strtotime($expire);
318 }
319 $key = hash_hmac('sha1', $username . $expire, $this->_secret);
320 if ( $value !== '' && $this->getHighConfidentiality() ) {
321 $encryptedValue = base64_encode($this->_encrypt($value, $key, md5($expire)));
322 } else {
323 $encryptedValue = base64_encode($value);
324 }
325 if ( $this->_ssl && isset($_SERVER['SSL_SESSION_ID']) ) {
326 $verifKey = hash_hmac('sha1', $username . $expire . $value . $_SERVER['SSL_SESSION_ID'], $key);
327 } else {
328 $verifKey = hash_hmac('sha1', $username . $expire . $value, $key);
329 }
330 $result = array($username, $expire, $encryptedValue, $verifKey);
331 return implode('|', $result);
332 }
$result
$result
Definition: CleanUpTest.php:407
Slim_Http_CookieJar\getHighConfidentiality
getHighConfidentiality()
Get the high confidentiality mode.
Definition: CookieJar.php:136
Slim_Http_CookieJar\_encrypt
_encrypt( $data, $key, $iv)
Encrypt a given data with a given key and a given initialisation vector.
Definition: CookieJar.php:342
$_SERVER
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']
Definition: tcpdf_autoconfig.php:54

References $_SERVER, $result, _encrypt(), and getHighConfidentiality().

Referenced by setCookie().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _validateIv()

Slim_Http_CookieJar::_validateIv (   $iv)
protected

Validate Initialization vector.

If given IV is too long for the selected mcrypt algorithm, it will be truncated

Parameters
string$ivInitialization vector
Returns
string

Definition at line 377 of file CookieJar.php.

377 {
378 $ivSize = mcrypt_enc_get_iv_size($this->_cryptModule);
379 if ( strlen($iv) > $ivSize ) {
380 $iv = substr($iv, 0, $ivSize);
381 }
382 return $iv;
383 }

Referenced by _decrypt(), and _encrypt().

+ Here is the caller graph for this function:

◆ _validateKey()

Slim_Http_CookieJar::_validateKey (   $key)
protected

Validate key.

If given key is too long for the selected mcrypt algorithm, it will be truncated

Parameters
string$keykey
string

Definition at line 393 of file CookieJar.php.

393 {
394 $keySize = mcrypt_enc_get_key_size($this->_cryptModule);
395 if ( strlen($key) > $keySize ) {
396 $key = substr($key, 0, $keySize);
397 }
398 return $key;
399 }

Referenced by _decrypt(), and _encrypt().

+ Here is the caller graph for this function:

◆ cookieExists()

Slim_Http_CookieJar::cookieExists (   $cookiename)

Verify if a cookie exists.

Parameters
string$cookiename
Returns
bool TRUE if cookie exist, or FALSE if not

Definition at line 296 of file CookieJar.php.

296 {
297 return isset($_COOKIE[$cookiename]);
298 }
$_COOKIE
$_COOKIE["ilClientId"]
Definition: cron.php:11

References $_COOKIE.

Referenced by getCookieValue().

+ Here is the caller graph for this function:

◆ deleteCookie()

Slim_Http_CookieJar::deleteCookie (   $name,
  $path = '/',
  $domain = '',
  $secure = false,
  $httponly = null 
)

Delete a cookie.

Parameters
string$nameCookie name
string$pathCookie path
string$domainCookie domain
bool$secureWhen TRUE, send the cookie only on a secure connection
bool$httponlyWhen TRUE the cookie will be made accessible only through the HTTP protocol

Definition at line 221 of file CookieJar.php.

221 {
222 $expire = 315554400; /* 1980-01-01 */
223 $this->_cookies[$name] = new Slim_Http_Cookie($name, '', $expire, $path, $domain, $secure, $httponly);
224 //setcookie($name, '', $expire, $path, $domain, $secure, $httponly);
225 }
Slim_Http_Cookie
Definition: Cookie.php:42
$path
$path
Definition: index.php:22

References $path.

Referenced by getCookieValue().

+ Here is the caller graph for this function:

◆ getCookieValue()

Slim_Http_CookieJar::getCookieValue (   $cookiename,
  $deleteIfInvalid = true 
)

Get a secure cookie value.

Verify the integrity of cookie data and decrypt it. If the cookie is invalid, it can be automatically destroyed (default behaviour)

Parameters
string$cookienameCookie name
bool$deleteDestroy the cookie if invalid?
Returns
string|false The Cookie value, or FALSE if Cookie invalid

Definition at line 237 of file CookieJar.php.

237 {
238 if ( $this->cookieExists($cookiename) ) {
239 if ( extension_loaded('mcrypt') ) {
240 $cookieValues = explode('|', $_COOKIE[$cookiename]);
241 if ( (count($cookieValues) === 4) && ($cookieValues[1] == 0 || $cookieValues[1] >= time()) ) {
242 $key = hash_hmac('sha1', $cookieValues[0] . $cookieValues[1], $this->_secret);
243 $cookieData = base64_decode($cookieValues[2]);
244 if ( $cookieData !== '' && $this->getHighConfidentiality() ) {
245 $data = $this->_decrypt($cookieData, $key, md5($cookieValues[1]));
246 } else {
247 $data = $cookieData;
248 }
249 if ( $this->_ssl && isset($_SERVER['SSL_SESSION_ID']) ) {
250 $verifKey = hash_hmac('sha1', $cookieValues[0] . $cookieValues[1] . $data . $_SERVER['SSL_SESSION_ID'], $key);
251 } else {
252 $verifKey = hash_hmac('sha1', $cookieValues[0] . $cookieValues[1] . $data, $key);
253 }
254 if ( $verifKey == $cookieValues[3] ) {
255 return $data;
256 }
257 }
258 } else {
259 return $_COOKIE[$cookiename];
260 }
261 }
262 if ( $deleteIfInvalid ) {
263 $this->deleteCookie($cookiename);
264 }
265 return false;
266 }
Slim_Http_CookieJar\_decrypt
_decrypt( $data, $key, $iv)
Decrypt a given data with a given key and a given initialisation vector.
Definition: CookieJar.php:359
Slim_Http_CookieJar\deleteCookie
deleteCookie( $name, $path='/', $domain='', $secure=false, $httponly=null)
Delete a cookie.
Definition: CookieJar.php:221
Slim_Http_CookieJar\cookieExists
cookieExists($cookiename)
Verify if a cookie exists.
Definition: CookieJar.php:296

References $_COOKIE, $_SERVER, $data, _decrypt(), cookieExists(), deleteCookie(), and getHighConfidentiality().

+ Here is the call graph for this function:

◆ getHighConfidentiality()

Slim_Http_CookieJar::getHighConfidentiality ( )

Get the high confidentiality mode.

Returns
bool TRUE if cookie data encryption is enabled, or FALSE if it isn't

Definition at line 136 of file CookieJar.php.

136 {
137 return $this->_highConfidentiality;
138 }
Slim_Http_CookieJar\$_highConfidentiality
$_highConfidentiality
Definition: CookieJar.php:79

References $_highConfidentiality.

Referenced by _secureCookieValue(), and getCookieValue().

+ Here is the caller graph for this function:

◆ getResponseCookie()

Slim_Http_CookieJar::getResponseCookie (   $cookiename)

Get Cookie with name for Response.

Author
Josh Lockhart info@.nosp@m.josh.nosp@m.lockh.nosp@m.art..nosp@m.com
Parameters
string$cookienameThe name of the Cookie
Returns
Cookie|null Cookie, or NULL if Cookie with name not found

Definition at line 191 of file CookieJar.php.

191 {
192 return isset($this->_cookies[$cookiename]) ? $this->_cookies[$cookiename] : null;
193 }

◆ getResponseCookies()

Slim_Http_CookieJar::getResponseCookies ( )

Get Cookies for Response.

Author
Josh Lockhart info@.nosp@m.josh.nosp@m.lockh.nosp@m.art..nosp@m.com
Returns
array[Cookie]

Definition at line 180 of file CookieJar.php.

180 {
181 return $this->_cookies;
182 }
Slim_Http_CookieJar\$_cookies
$_cookies
Definition: CookieJar.php:89

References $_cookies.

◆ getSSL()

Slim_Http_CookieJar::getSSL ( )

Get the SSL status (enabled or disabled?)

Returns
bool TRUE if SSL support is enabled, or FALSE if it isn't

Definition at line 156 of file CookieJar.php.

156 {
157 return $this->_ssl;
158 }
Slim_Http_CookieJar\$_ssl
$_ssl
Definition: CookieJar.php:84

References $_ssl.

◆ setClassicCookie()

Slim_Http_CookieJar::setClassicCookie (   $cookiename,
  $value,
  $expire = 0,
  $path = '/',
  $domain = '',
  $secure = false,
  $httponly = null 
)

Send a classic (unsecure) cookie.

Parameters
string$nameCookie name
string$valueCookie value
integer$expireExpiration time
string$pathCookie path
string$domainCookie domain
bool$secureWhen TRUE, send the cookie only on a secure connection
bool$httponlyWhen TRUE the cookie will be made accessible only through the HTTP protocol

Definition at line 279 of file CookieJar.php.

279 {
280 /* httponly option is only available for PHP version >= 5.2 */
281 if ( $httponly === null ) {
282 $this->_cookies[$cookiename] = new Slim_Http_Cookie($cookiename, $value, $expire, $path, $domain, $secure);
283 //setcookie($cookiename, $value, $expire, $path, $domain, $secure);
284 } else {
285 $this->_cookies[$cookiename] = new Slim_Http_Cookie($cookiename, $value, $expire, $path, $domain, $secure, $httponly);
286 //setcookie($cookiename, $value, $expire, $path, $domain, $secure, $httponly);
287 }
288 }

References $path.

Referenced by setCookie().

+ Here is the caller graph for this function:

◆ setCookie()

Slim_Http_CookieJar::setCookie (   $cookiename,
  $value,
  $username,
  $expire = 0,
  $path = '/',
  $domain = '',
  $secure = false,
  $httponly = null 
)

Set a secure cookie.

Parameters
string$nameCookie name
string$valueCookie value
string$usernameUser identifier
integer$expireExpiration time
string$pathCookie path
string$domainCookie domain
bool$secureWhen TRUE, send the cookie only on a secure connection
bool$httponlyWhen TRUE the cookie will be made accessible only through the HTTP protocol

Definition at line 207 of file CookieJar.php.

207 {
208 $secureValue = extension_loaded('mcrypt') ? $this->_secureCookieValue($value, $username, $expire) : $value;
209 $this->setClassicCookie($cookiename, $secureValue, $expire, $path, $domain, $secure, $httponly);
210 }
Slim_Http_CookieJar\_secureCookieValue
_secureCookieValue( $value, $username, $expire)
Secure a cookie value.
Definition: CookieJar.php:315
Slim_Http_CookieJar\setClassicCookie
setClassicCookie( $cookiename, $value, $expire=0, $path='/', $domain='', $secure=false, $httponly=null)
Send a classic (unsecure) cookie.
Definition: CookieJar.php:279

References $path, _secureCookieValue(), and setClassicCookie().

+ Here is the call graph for this function:

◆ setHighConfidentiality()

Slim_Http_CookieJar::setHighConfidentiality (   $enable)

Enable or disable cookie data encryption.

Parameters
bool$enableTRUE to enable, FALSE to disable
Returns
CookieJar

Definition at line 146 of file CookieJar.php.

146 {
147 $this->_highConfidentiality = (bool)$enable;
148 return $this;
149 }

◆ setSSL()

Slim_Http_CookieJar::setSSL (   $enable)

Enable SSL support (not enabled by default)

Pro: Protect against replay attack Con: Cookie's lifetime is limited to SSL session's lifetime

Parameters
bool$enableTRUE to enable, FALSE to disable
Returns
CookieJar

Definition at line 169 of file CookieJar.php.

169 {
170 $this->_ssl = (bool)$enable;
171 return $this;
172 }

Field Documentation

◆ $_algorithm

Slim_Http_CookieJar::$_algorithm = MCRYPT_RIJNDAEL_256
protected

Definition at line 64 of file CookieJar.php.

◆ $_cookies

Slim_Http_CookieJar::$_cookies = array()
protected

Definition at line 89 of file CookieJar.php.

Referenced by getResponseCookies().

◆ $_cryptModule

Slim_Http_CookieJar::$_cryptModule = null
protected

Definition at line 74 of file CookieJar.php.

◆ $_highConfidentiality

Slim_Http_CookieJar::$_highConfidentiality = true
protected

Definition at line 79 of file CookieJar.php.

Referenced by getHighConfidentiality().

◆ $_mode

Slim_Http_CookieJar::$_mode = MCRYPT_MODE_CBC
protected

Definition at line 69 of file CookieJar.php.

◆ $_secret

Slim_Http_CookieJar::$_secret = ''
protected

Definition at line 59 of file CookieJar.php.

◆ $_ssl

Slim_Http_CookieJar::$_ssl = false
protected

Definition at line 84 of file CookieJar.php.

Referenced by getSSL().

The documentation for this class was generated from the following file: