- Joined
- Jan 5, 2008
- Messages
- 1,698
- Reaction score
- 288
PHP CSRF Protection.
Add this token (stored in the session) to each form and validate on each POST.
I'll just leave it here.
Good luck.
Add this token (stored in the session) to each form and validate on each POST.
PHP:
<?php
class HazeCSRF
{
public static function setCSRFToken()
{
$session_id = session_id();
$user_ip = $_SERVER['REMOTE_ADDR'];
$time = time();
$token = HazeHash::create($session_id.$user_ip.$time);
HazeRequest::setSession('csrf_token', $token);
}
public static function encryptCSRFToken($method = "AES-256-CBC")
{
$advanced = HazeConfig::get('Advanced');
$secret = $advanced['encrypt_salt'];
if(!HazeRequest::getSession('csrf_token'))
{
self::setCSRFToken();
}
$iv_size = mcrypt_get_iv_size(MCRYPT_CAST_256, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$encrypted = openssl_encrypt(HazeRequest::getSession('csrf_token'), $method, $secret, 0, $iv);
return base64_encode($iv.$encrypted);
}
public static function decryptCSRFToken($token, $method = "AES-256-CBC")
{
$advanced = HazeConfig::get('Advanced');
$secret = $advanced['encrypt_salt'];
$token = base64_decode($token);
$iv_size = mcrypt_get_iv_size(MCRYPT_CAST_256, MCRYPT_MODE_CBC);
$iv = substr($token, 0, $iv_size);
return openssl_decrypt(substr($token, $iv_size), $method, $secret, 0, $iv);
}
public static function isValid($csrf_token)
{
$token = self::decryptCSRFToken($csrf_token);
if($token == HazeRequest::getSession('csrf_token'))
{
self::setCSRFToken();
return true;
}
return false;
}
}
I'll just leave it here.
Good luck.