mirror of
https://github.com/kamilwylegala/cakephp2-php8.git
synced 2025-01-19 02:56:15 +00:00
Making the ability to use longer shared csrf tokens possible. This should make for fewer blackholed' requests when doing complicated javascript.
This commit is contained in:
mark_story
parent
c6c3295c5c
commit
22239b4481
2 changed files with 40 additions and 7 deletions
|
|
@ -172,6 +172,16 @@ class SecurityComponent extends Component {
|
|||
*/
|
||||
public $csrfExpires = '+30 minutes';
|
||||
|
||||
/**
|
||||
* Controls whether or not CSRF tokens are use and burn. Set to false to not generate
|
||||
* new tokens on each request. One token will be reused until it expires. This reduces
|
||||
* the chances of users getting invalid requests because of token consumption.
|
||||
* It has the side effect of making CSRF less secure, as tokens are reusable.
|
||||
*
|
||||
* @var boolean
|
||||
*/
|
||||
public $csrfUseOnce = true;
|
||||
|
||||
/**
|
||||
* Other components used by the Security component
|
||||
*
|
||||
|
|
@ -677,17 +687,16 @@ class SecurityComponent extends Component {
|
|||
'csrfTokens' => array()
|
||||
);
|
||||
|
||||
if ($this->csrfCheck) {
|
||||
$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
|
||||
}
|
||||
|
||||
$tokenData = array();
|
||||
if ($this->Session->check('_Token')) {
|
||||
$tokenData = $this->Session->read('_Token');
|
||||
if (!empty($tokenData['csrfTokens'])) {
|
||||
$token['csrfTokens'] += $tokenData['csrfTokens'];
|
||||
$token['csrfTokens'] = $this->_expireTokens($token['csrfTokens']);
|
||||
$token['csrfTokens'] = $this->_expireTokens($tokenData['csrfTokens']);
|
||||
}
|
||||
}
|
||||
if ($this->csrfCheck && ($this->csrfUseOnce || empty($tokenData['csrfTokens'])) ) {
|
||||
$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
|
||||
}
|
||||
$controller->request->params['_Token'] = $token;
|
||||
$this->Session->write('_Token', $token);
|
||||
return true;
|
||||
|
|
@ -705,7 +714,9 @@ class SecurityComponent extends Component {
|
|||
$token = $this->Session->read('_Token');
|
||||
$requestToken = $controller->request->data('_Token.key');
|
||||
if (isset($token['csrfTokens'][$requestToken]) && $token['csrfTokens'][$requestToken] >= time()) {
|
||||
if ($this->csrfUseOnce) {
|
||||
$this->Session->delete('_Token.csrfTokens.' . $requestToken);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
|
|
|
|||
|
|
@ -1407,4 +1407,26 @@ DIGEST;
|
|||
$this->Security->startup($this->Controller);
|
||||
$this->assertTrue($this->Controller->failed, 'fail() was not called.');
|
||||
}
|
||||
|
||||
/**
|
||||
* test that csrfUseOnce = false works.
|
||||
*
|
||||
* @return void
|
||||
*/
|
||||
function testCsrfNotUseOnce() {
|
||||
$this->Security->validatePost = false;
|
||||
$this->Security->csrfCheck = true;
|
||||
$this->Security->csrfUseOnce = false;
|
||||
$this->Security->csrfExpires = '+10 minutes';
|
||||
|
||||
// Generate one token
|
||||
$this->Security->startup($this->Controller);
|
||||
$token = $this->Security->Session->read('_Token.csrfTokens');
|
||||
$this->assertEquals(1, count($token), 'Should only be one token.');
|
||||
|
||||
$this->Security->startup($this->Controller);
|
||||
$token2 = $this->Security->Session->read('_Token.csrfTokens');
|
||||
$this->assertEquals(1, count($token2), 'Should only be one token.');
|
||||
$this->assertEquals($token, $token2, 'Tokens should not be different.');
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue