Stud.IP  4.2 Revision
Static Public Member Functions | Data Fields
CSRFProtection Class Reference
Collaboration diagram for CSRFProtection:
Collaboration graph

Static Public Member Functions

static verifyUnsafeRequest ()
 
static verifySecurityToken ()
 
static verifyRequest ()
 
static token ()
 
static tokenTag ()
 

Data Fields

const TOKEN = 'security_token'
 

Detailed Description

To protect Stud.IP from forged request from other sites a security token is generated and stored in the session and all forms (or rather POST request) have to contain that token which is then compared on the server side to verify the authenticity of the request. GET request are not checked as these are assumed to be idempotent anyway.

If a forgery is detected, an InvalidSecurityTokenException is thrown and a log entry is recorded in the error log.

The (form or request) parameter is named "security token". If you are authoring an HTML form, you have to include this as an input[=hidden] element. This is easily done by calling:

echo CSRFProtection::tokenTag();

Checking the token is implicitly done when calling page_open in file lib/phplib/page4.inc

Member Function Documentation

◆ token()

static token ( )
static

Returns the token stored in the session generating it first if required.

Returns
string a base64 encoded string of 32 random bytes
Exceptions
SessionRequiredExceptionthere is no session to store the token in
Here is the caller graph for this function:

◆ tokenTag()

static tokenTag ( )
static

Returns a snippet of HTML containing an input[=hidden] element like this:

<input type="hidden" name="security_token" value="012345678901234567890123456789==">
Returns
string the HTML snippet containing the input element
Here is the caller graph for this function:

◆ verifyRequest()

static verifyRequest ( )
static

This checks the request and returns either true or false. It is implicitly called by CSRFProtection::verifySecurityToken() and it should never be needed to call this.

Returns
boolean returns true if the request is valid
Here is the call graph for this function:
Here is the caller graph for this function:

◆ verifySecurityToken()

static verifySecurityToken ( )
static

This checks the request and throws an InvalidSecurityTokenException if fails to verify its authenticity.

Exceptions
InvalidSecurityTokenExceptionrequest is invalid
Here is the caller graph for this function:

◆ verifyUnsafeRequest()

static verifyUnsafeRequest ( )
static

This checks the request and throws an InvalidSecurityTokenException if fails to verify its authenticity.

Exceptions
MethodNotAllowedThe request has to be unsafe in terms of RFC 2616.
InvalidSecurityTokenExceptionThe request is invalid as the security token does not match.
Here is the call graph for this function:

Field Documentation

◆ TOKEN

const TOKEN = 'security_token'

The name of the parameter.

The documentation for this class was generated from the following file: