Stud.IP  6.1
Static Public Member Functions | Data Fields | Static Protected Attributes
CSRFProtection Class Reference

Static Public Member Functions

static setStorage (&$storage)
 
static & getStorage ()
 
static verifyUnsafeRequest ()
 
static verifySecurityToken ()
 
static token ()
 
static tokenTag (array $attributes=[])
 
static sessionticket ()
 
static verifySessionticket ($studipticket)
 

Data Fields

const TOKEN = 'security_token'
 
const AJAX_TOKEN = 'HTTP_X_CSRF_TOKEN'
 

Static Protected Attributes

static $storage = null
 

Detailed Description

To protect Stud.IP from forged request from other sites a security token is generated and stored in the session and all forms (or rather POST request) have to contain that token which is then compared on the server side to verify the authenticity of the request. GET request are not checked as these are assumed to be idempotent anyway.

If a forgery is detected, an InvalidSecurityTokenException is thrown and a log entry is recorded in the error log.

The (form or request) parameter is named "security token". If you are authoring an HTML form, you have to include this as an input[=hidden] element. This is easily done by calling:

echo CSRFProtection::tokenTag();

Checking the token is implicitly done when calling #page_open in file lib/phplib/page4.inc

Member Function Documentation

◆ getStorage()

static& getStorage ( )
static

Returns a reference to the used storage.

Returns
array|null

◆ sessionticket()

static sessionticket ( )
static

returns a random string token for XSRF prevention the string is stored in the session

Returns
string

◆ setStorage()

static setStorage ( $storage)
static

Set a storage to use.

Parameters
$storage

◆ token()

static token ( )
static

Returns the token stored in the session generating it first if required.

Returns
string a base64 encoded string of 32 random bytes
Exceptions
SessionRequiredExceptionthere is no session to store the token in

◆ tokenTag()

static tokenTag ( array  $attributes = [])
static

Returns a snippet of HTML containing an input[=hidden] element like this:

<input type="hidden" name="security_token" value="012345678901234567890123456789==">
Parameters
array$attributesAdditional attributes to be added to the input
Returns
string the HTML snippet containing the input element

◆ verifySecurityToken()

static verifySecurityToken ( )
static

This checks the request and throws an InvalidSecurityTokenException if fails to verify its authenticity.

Exceptions
InvalidSecurityTokenExceptionrequest is invalid

◆ verifySessionticket()

static verifySessionticket (   $studipticket)
static

checks the given string token against the one stored in the session

Parameters
string$studipticket
Returns
bool

◆ verifyUnsafeRequest()

static verifyUnsafeRequest ( )
static

This checks the request and throws an InvalidSecurityTokenException if fails to verify its authenticity.

Exceptions
MethodNotAllowedExceptionThe request has to be unsafe in terms of RFC 2616.
InvalidSecurityTokenExceptionThe request is invalid as the security token does not match.

Field Documentation

◆ $storage

$storage = null
staticprotected

◆ AJAX_TOKEN

const AJAX_TOKEN = 'HTTP_X_CSRF_TOKEN'

◆ TOKEN

const TOKEN = 'security_token'

The name of the parameter.

The documentation for this class was generated from the following file: