/
lemon_security.php
70 lines (62 loc) · 2.12 KB
/
lemon_security.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
<?php
# http://github.com/sofadesign/vincent-helye.com to see how to use it
# TODO: add documentation
function lemon_csrf_token($token_name = 'form_token', $token_expiration_time = 300)
{
static $name = null;
static $expiration_time = null;
static $token;
if(isset($_SESSION[$token_name]))
{
$name = $token_name;
$token = $_SESSION[$token_name];
$expiration_time = $_SESSION[$token_name.'_expiration_time'];
}
else
{
if(!is_null($name)) lemon_csrf_unset_token($name); // unset previous token
$name = $token_name;
$token = md5(uniqid('auth', true));
if(is_null($expiration_time)) $expiration_time = $token_expiration_time;
$_SESSION[$name] = $token;
$_SESSION[$name.'_time'] = time();
$_SESSION[$name.'_expiration_time'] = $expiration_time;
}
return array('name' => $name, 'value' => $token, 'expiration_time' => $expiration_time);
}
function lemon_csrf_unset_token($token = null)
{
if(is_null($token)) $token = lemon_csrf_token();
$token_name = is_array($token) ? $token['name'] : $token;
if(!is_null($token_name))
{
unset($_SESSION[$token_name]);
unset($_SESSION[$token_name.'_time']);
unset($_SESSION[$name.'_expiration_time']);
}
}
function lemon_csrf_token_age($token = null)
{
if(is_null($token)) $token = lemon_csrf_token();
$token_name = is_array($token) ? $token['name'] : $token;
return time() - $_SESSION[$token_name.'_time'];
}
function lemon_csrf_token_expired($token = null)
{
if(is_null($token)) $token = lemon_csrf_token();
return lemon_csrf_token_age($token) > $token['expiration_time'];
}
function lemon_csrf_require_valid_token($msg = 'Cross site request forgery detected. Request aborted', $token = null)
{
if(is_null($token)) $token = lemon_csrf_token();
$token_name = $token['name'];
if($_POST[$token_name] != $_SESSION[$token_name]) halt(HTTP_FORBIDDEN, $msg);
return true;
}
# HELPERS
function html_form_token_field($token = null)
{
if(is_null($token)) $token = lemon_csrf_token();
$token_value = is_array($token) ? $token['value'] : $token;
return '<input type="hidden" name="form_token" value="'.$token_value.'" id="form_token">';
}