PHP Class lithium\security\validation\RequestToken

RequestToken will persist the token for the life of the client session, and generate per-request keys that will match against that token. Using these token/key pairs in forms and other non-idempotent requests will help you secure your application against cross-site request forgeries, or CSRF attacks. ### Example views/comments/add.html.php: ... form->create($object); ?> security->requestToken(); ?> Other fields... form->end(); ?> controllers/CommentsController.php: public function add() { if ($this->request->data && !RequestToken::check($this->request)) { Key didn't match the CSRF token. Regenerate the session token and prompt the user to retry the form submission. RequestToken::get(array('regenerate' => true)); return; } Handle a normal request... }

See also: lithium\template\helper\Security::requestToken()

See link: Cross-Site Request Forgeries

显示文件 Open project: unionofrad/lithium Class Usage Examples

Protected Properties

Property	Type	Description
$_classes	array	Class dependencies.

Public Methods

Method	Description
check ( mixed $key, array $options = [] ) : boolean	Checks a single-use hash key against the session token that generated it, using a cryptographically-secure verification method. Accepts either the request key as a string, or a Request object with a $data property containing a ['security']['token'] key.
config ( array $config = [] ) : array	Used to get or reconfigure dependencies with custom classes.
get ( array $options = [] ) : string	Generates (or regenerates) a cryptographically-secure token to be used for the life of the client session, and stores the token using the Session class.
key ( array $options = [] ) : string	Generates a single-use key to be embedded in a form or used with another non-idempotent request (a request that changes the state of the server or application), that will match against a client session token using the check() method.

Method Details

check() public static method

For example, the following two controller code samples are equivalent: $key = $this->request->data['security']['token']; if (!RequestToken::check($key)) { Handle invalid request... } if (!RequestToken::check($this->request)) { Handle invalid request... }

public static check ( mixed $key, array $options = [] ) : boolean
$key	mixed	Either the actual key as a string, or a `Request` object containing the key.
$options	array	The options to use when matching the key to the token: - `'sessionKey'` _string_: The key used when reading the token from the session.
return	boolean	Returns `true` if the hash key is a cryptographic match to the stored session token. Returns `false` on failure, which indicates a forged request attempt.

config() public static method

Used to get or reconfigure dependencies with custom classes.

public static config ( array $config = [] ) : array
$config	array	When assigning new configuration, should be an array containing a `'classes'` key.
return	array	If `$config` is empty, returns an array with a `'classes'` key containing class dependencies. Otherwise returns `null`.

get() public static method

Generates (or regenerates) a cryptographically-secure token to be used for the life of the client session, and stores the token using the Session class.

key() public static method

Generates a single-use key to be embedded in a form or used with another non-idempotent request (a request that changes the state of the server or application), that will match against a client session token using the check() method.

See also: lithium\security\validation\RequestToken::check()

public static key ( array $options = [] ) : string
$options	array	An array of options to be passed to `RequestToken::get()`.
return	string	Returns a hashed key string for use with `RequestToken::check()`.

Property Details

$_classes protected_oe static_oe property

Class dependencies.

protected static array $_classes
return	array

public static get ( array $options = [] ) : string
$options	array	An array of options to be used when generating or storing the token: - `'regenerate'` _boolean_: If `true`, will force the regeneration of a the token, even if one is already available in the session. Defaults to `false`. - `'sessionKey'` _string_: The key used for session storage and retrieval. Defaults to `'security.token'`. - `'salt'` _string_: If the token is being generated (or regenerated), sets a custom salt value to be used by `String::hash()`. - `'type'` _string_: The hashing algorithm used by `String::hash()` when generating the token. Defaults to `'sha512'`.
return	string	Returns a cryptographically-secure client session token.