PHP Класс lithium\security\validation\RequestToken

RequestToken will persist the token for the life of the client session, and generate per-request keys that will match against that token. Using these token/key pairs in forms and other non-idempotent requests will help you secure your application against cross-site request forgeries, or CSRF attacks. ### Example views/comments/add.html.php: ... form->create($object); ?> security->requestToken(); ?> Other fields... form->end(); ?> controllers/CommentsController.php: public function add() { if ($this->request->data && !RequestToken::check($this->request)) { Key didn't match the CSRF token. Regenerate the session token and prompt the user to retry the form submission. RequestToken::get(array('regenerate' => true)); return; } Handle a normal request... }

См. также: lithium\template\helper\Security::requestToken()

См. ссылку: Cross-Site Request Forgeries

Показать файл Открыть проект Примеры использования класса

Защищенные свойства (Protected)

Свойство	Тип	Описание
$_classes	array	Class dependencies.

Открытые методы

Метод	Описание
check ( mixed $key, array $options = [] ) : boolean	Checks a single-use hash key against the session token that generated it, using a cryptographically-secure verification method. Accepts either the request key as a string, or a Request object with a $data property containing a ['security']['token'] key.
config ( array $config = [] ) : array	Used to get or reconfigure dependencies with custom classes.
get ( array $options = [] ) : string	Generates (or regenerates) a cryptographically-secure token to be used for the life of the client session, and stores the token using the Session class.
key ( array $options = [] ) : string	Generates a single-use key to be embedded in a form or used with another non-idempotent request (a request that changes the state of the server or application), that will match against a client session token using the check() method.

Описание методов

check() публичный статический Метод

For example, the following two controller code samples are equivalent: $key = $this->request->data['security']['token']; if (!RequestToken::check($key)) { Handle invalid request... } if (!RequestToken::check($this->request)) { Handle invalid request... }

public static check ( mixed $key, array $options = [] ) : boolean
$key	mixed	Either the actual key as a string, or a `Request` object containing the key.
$options	array	The options to use when matching the key to the token: - `'sessionKey'` _string_: The key used when reading the token from the session.
Результат	boolean	Returns `true` if the hash key is a cryptographic match to the stored session token. Returns `false` on failure, which indicates a forged request attempt.

config() публичный статический Метод

Used to get or reconfigure dependencies with custom classes.

public static config ( array $config = [] ) : array
$config	array	When assigning new configuration, should be an array containing a `'classes'` key.
Результат	array	If `$config` is empty, returns an array with a `'classes'` key containing class dependencies. Otherwise returns `null`.

get() публичный статический Метод

Generates (or regenerates) a cryptographically-secure token to be used for the life of the client session, and stores the token using the Session class.

См. также: lithium\util\String::hash()

public static get ( array $options = [] ) : string
$options	array	An array of options to be used when generating or storing the token: - `'regenerate'` _boolean_: If `true`, will force the regeneration of a the token, even if one is already available in the session. Defaults to `false`. - `'sessionKey'` _string_: The key used for session storage and retrieval. Defaults to `'security.token'`. - `'salt'` _string_: If the token is being generated (or regenerated), sets a custom salt value to be used by `String::hash()`. - `'type'` _string_: The hashing algorithm used by `String::hash()` when generating the token. Defaults to `'sha512'`.
Результат	string	Returns a cryptographically-secure client session token.

key() публичный статический Метод

Generates a single-use key to be embedded in a form or used with another non-idempotent request (a request that changes the state of the server or application), that will match against a client session token using the check() method.

См. также: lithium\security\validation\RequestToken::check()

public static key ( array $options = [] ) : string
$options	array	An array of options to be passed to `RequestToken::get()`.
Результат	string	Returns a hashed key string for use with `RequestToken::check()`.

Описание свойств

$_classes защищенное статическое свойство

Class dependencies.

protected static array $_classes
Результат	array