Make the XSRF token live for as long as the session, remove some old …

…array handling code. Closes #2174
symphonycms · Nov 5, 2014 · 1e41aab · 1e41aab
1 parent b9758dd
commit 1e41aab
Showing 1 changed file with 34 additions and 26 deletions.
diff --git a/symphony/lib/toolkit/class.xsrf.php b/symphony/lib/toolkit/class.xsrf.php
@@ -17,13 +17,17 @@ class XSRF
     /**
      * Return's the location of the XSRF tokens in the Session
      *
-     * @return array
+     * @return string|null
      */
-    public static function getSession()
+    public static function getSessionToken()
     {
-        $tokens = $_SESSION[__SYM_COOKIE_PREFIX__]['xsrf-token'];
+        $token = $_SESSION[__SYM_COOKIE_PREFIX__]['xsrf-token'];
+
+        if (is_array($token)) {
+            $token = key($token);
+        }
 
-        return is_null($tokens) ? array() : $tokens;
+        return is_null($token) ? null : $token;
     }
 
     /**
@@ -47,7 +51,7 @@ public static function removeSessionToken($token = null)
             return;
         }
 
-        unset($_SESSION[__SYM_COOKIE_PREFIX__]['xsrf-token'][$token]);
+        $_SESSION[__SYM_COOKIE_PREFIX__]['xsrf-token'] = null;
     }
 
     /**
@@ -106,13 +110,19 @@ public static function formToken()
      */
     public static function getToken()
     {
-        $tokens = self::getSession();
-        if (empty($tokens)) {
+        $token = self::getSessionToken();
+        if (is_null($token)) {
             $nonce = self::generateNonce(20);
-            $tokens[$nonce] = 1;
-            self::setSessionToken($tokens);
+            self::setSessionToken($nonce);
+
+        // Handle old tokens (< 2.6.0)
+        } elseif (is_array($token)) {
+            $nonce = key($token);
+            self::setSessionToken($nonce);
+
+        // New style tokens
         } else {
-            $nonce = key($tokens);
+            $nonce = $token;
         }
 
         return $nonce;
@@ -127,23 +137,9 @@ public static function getToken()
      */
     public static function validateToken($xsrf)
     {
-        $tokens = self::getSession();
-
-        // Sanity check
-        if (empty($tokens)) {
-            return false;
-        }
+        $token = self::getSessionToken();
 
-        // Check that the token exists
-        foreach ($tokens as $key => $expires) {
-            if ($key == $xsrf) {
-                return true;
-            } else {
-                self::removeSessionToken($key);
-            }
-        }
-
-        return false;
+        return $token === $xsrf;
     }
 
     /**
@@ -184,4 +180,16 @@ public static function throwXSRFException()
             __('Please go back and try again.');
         throw new SymphonyErrorPage($msg, __('Access Denied'), 'generic', array(), Page::HTTP_STATUS_FORBIDDEN);
     }
+
+    /**
+     * Return's the location of the XSRF tokens in the Session
+     *
+     * @deprecated This function will be removed in Symphony 2.8.0. Use
+     *  getSessionToken instead.
+     * @return string|null
+     */
+    public static function getSession()
+    {
+        return self::getSessionToken();
+    }
 }