PHP CSRF Protection.
Add this token (stored in the session) to each form and validate on each POST.
I'll just leave it here.PHP Code:<?php
class HazeCSRF
{
public static function setCSRFToken()
{
$session_id = session_id();
$user_ip = $_SERVER['REMOTE_ADDR'];
$time = time();
$token = HazeHash::create($session_id.$user_ip.$time);
HazeRequest::setSession('csrf_token', $token);
}
public static function encryptCSRFToken($method = "AES-256-CBC")
{
$advanced = HazeConfig::get('Advanced');
$secret = $advanced['encrypt_salt'];
if(!HazeRequest::getSession('csrf_token'))
{
self::setCSRFToken();
}
$iv_size = mcrypt_get_iv_size(MCRYPT_CAST_256, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$encrypted = openssl_encrypt(HazeRequest::getSession('csrf_token'), $method, $secret, 0, $iv);
return base64_encode($iv.$encrypted);
}
public static function decryptCSRFToken($token, $method = "AES-256-CBC")
{
$advanced = HazeConfig::get('Advanced');
$secret = $advanced['encrypt_salt'];
$token = base64_decode($token);
$iv_size = mcrypt_get_iv_size(MCRYPT_CAST_256, MCRYPT_MODE_CBC);
$iv = substr($token, 0, $iv_size);
return openssl_decrypt(substr($token, $iv_size), $method, $secret, 0, $iv);
}
public static function isValid($csrf_token)
{
$token = self::decryptCSRFToken($csrf_token);
if($token == HazeRequest::getSession('csrf_token'))
{
self::setCSRFToken();
return true;
}
return false;
}
}
Good luck.
Reply With Quote![[PHP] CSRF Protection](http://ragezone.com/hyper728.png)
