adulau/cakephp2-php8
1
0
Fork 0
mirror of https://github.com/kamilwylegala/cakephp2-php8.git synced 2025-01-31 17:16:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Making the ability to use longer shared csrf tokens possible. This should make for fewer blackholed' requests when doing complicated javascript.

Browse source
This commit is contained in:
mark_story 2010-10-24 20:26:31 -04:00
parent c6c3295c5c
commit 22239b4481
2 changed files with 40 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
cake/libs/controller/components/security.php
View file

@ -172,6 +172,16 @@ class SecurityComponent extends Component {
*/ */
public $csrfExpires = '+30 minutes'; public $csrfExpires = '+30 minutes';
/**
* Controls whether or not CSRF tokens are use and burn. Set to false to not generate
* new tokens on each request. One token will be reused until it expires. This reduces
* the chances of users getting invalid requests because of token consumption.
* It has the side effect of making CSRF less secure, as tokens are reusable.
*
* @var boolean
*/
public $csrfUseOnce = true;
/** /**
* Other components used by the Security component * Other components used by the Security component
* *
@ -677,17 +687,16 @@ class SecurityComponent extends Component {
'csrfTokens' => array() 'csrfTokens' => array()
); );
if ($this->csrfCheck) { $tokenData = array();
$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
}
if ($this->Session->check('_Token')) { if ($this->Session->check('_Token')) {
$tokenData = $this->Session->read('_Token'); $tokenData = $this->Session->read('_Token');
if (!empty($tokenData['csrfTokens'])) { if (!empty($tokenData['csrfTokens'])) {
$token['csrfTokens'] += $tokenData['csrfTokens']; $token['csrfTokens'] = $this->_expireTokens($tokenData['csrfTokens']);
$token['csrfTokens'] = $this->_expireTokens($token['csrfTokens']);
} }
} }
if ($this->csrfCheck && ($this->csrfUseOnce || empty($tokenData['csrfTokens'])) ) {
$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
}
$controller->request->params['_Token'] = $token; $controller->request->params['_Token'] = $token;
$this->Session->write('_Token', $token); $this->Session->write('_Token', $token);
return true; return true;
@ -705,7 +714,9 @@ class SecurityComponent extends Component {
$token = $this->Session->read('_Token'); $token = $this->Session->read('_Token');
$requestToken = $controller->request->data('_Token.key'); $requestToken = $controller->request->data('_Token.key');
if (isset($token['csrfTokens'][$requestToken]) && $token['csrfTokens'][$requestToken] >= time()) { if (isset($token['csrfTokens'][$requestToken]) && $token['csrfTokens'][$requestToken] >= time()) {
if ($this->csrfUseOnce) {
$this->Session->delete('_Token.csrfTokens.' . $requestToken); $this->Session->delete('_Token.csrfTokens.' . $requestToken);
}
return true; return true;
} }
return false; return false;

22
cake/tests/cases/libs/controller/components/security.test.php
View file

@ -1407,4 +1407,26 @@ DIGEST;
$this->Security->startup($this->Controller); $this->Security->startup($this->Controller);
$this->assertTrue($this->Controller->failed, 'fail() was not called.'); $this->assertTrue($this->Controller->failed, 'fail() was not called.');
} }
/**
* test that csrfUseOnce = false works.
*
* @return void
*/
function testCsrfNotUseOnce() {
$this->Security->validatePost = false;
$this->Security->csrfCheck = true;
$this->Security->csrfUseOnce = false;
$this->Security->csrfExpires = '+10 minutes';
// Generate one token
$this->Security->startup($this->Controller);
$token = $this->Security->Session->read('_Token.csrfTokens');
$this->assertEquals(1, count($token), 'Should only be one token.');
$this->Security->startup($this->Controller);
$token2 = $this->Security->Session->read('_Token.csrfTokens');
$this->assertEquals(1, count($token2), 'Should only be one token.');
$this->assertEquals($token, $token2, 'Tokens should not be different.');
}
} }