PHP Classes

File: Csrf.php

Recommend this page to a friend!
  Classes of mohammad anzawi   PHP CSRF Token Library   Csrf.php   Download  
File: Csrf.php
Role: Class source
Content type: text/plain
Description: Class source
Class: PHP CSRF Token Library
Generate and validate tokens to avoid CSRF attacks
Author: By
Last change:
Date: 7 months ago
Size: 5,218 bytes
 

Contents

Class file image Download
<?php

##############################################################################\
###############################################################################
## Author : Mohammad Anzawi from phptricks.org ##
## License : MIT ##
## ##
## see all my free and open source php libraries and classes on github: ##
## https://github.com/anzawi ##
## ##
## visit my blog -> http://phptricks.org ##
## ##
###############################################################################
## Please Dont Remove this comment block. ##
## ##
###############################################################################
##############################################################################/
class Csrf
{

   
// the session and field name
   
private $_tokenName = "_token";

   
// we dont need a doblucate object just one - instanse -
   
private static $__obj = null;

    private function
__construct()
    {
       
// check if session is not started , start session
       
if (session_id() == '') {
           
session_start();
        }

       
// generate token
       
$this->generate();
    }

   
// initilize the class
   
public static function init()
    {
       
// check if object already created ro not
       
if (!isset(self::$__obj) || is_null(self::$__obj)) {
           
self::$__obj = new Csrf(); // create new object
       
}

        return
self::$__obj;
    }


   
/**
      * check if token (CSRF) generated or not
      * precautionary measure because we generated in __construct function
    */
   
private function checkIfTokenIsGenerated()
    {
        return isset(
$_SESSION[$this->_tokenName]);
    }

   
/**
      * generate token value
    */
   
public function generate()
    {
       
// check if token has been generated - if not generate a new one.
        // otherwise return old token
        // to allow multi forms in same page
        // if we dont do that , only last form can be passed from token check.
       
if (!$this->checkIfTokenIsGenerated())
           
$_SESSION[$this->_tokenName] = sha1(uniqid() . rand() * time());

        return
$_SESSION[$this->_tokenName];
    }

   
/**
      * get token value
    */
   
public function getToken()
    {
       
// check if its not generated , if not generate a new one
       
if(!$this->checkIfTokenIsGenerated())
            return
$this->generate();

        return
$_SESSION[$this->_tokenName];
    }


   
/**
      * this method to check if submited token is valid or not.
      * its accept (optional) paramener, this parameter -> value of submited token
      * if you dont sent the value, we get submited token value if its exist.
    */
   
public function checkToken($value = '')
    {
       
// check if value paramenter is not send
        // and token value is not submited or token is not generated
        // return bool(false)
       
if(!$value && !$this->submitedToken() || !$this->checkIfTokenIsGenerated())
        {
            return
false;
        }

       
// if token value not sent so the value is the submited value
       
$value = $value ? $value : $_POST[$this->_tokenName];
       
// (bool) if token submited value is equal token in session so true otherwise false
       
$valid = $value === $_SESSION[$this->_tokenName];

       
// delete (remove, destroy, unset) current token value from session
       
$this->destroy();
       
// return (bool)
       
return $valid;
    }

   
// this method if we want to kill page if token is not match our session
    /**

How to Use :::::

if($token->checkToken())
{
 // evrything is OK , process last action
}
else
{
    // the token is not match , something wrong - CSRF Attack
}
-----------------------

OR ----

$token->ValidOrDie();
 // evrything is OK , process last action
 // because if anything is wrong the page was killed from ValidOrDie() method

    */
   
public function ValidOrDie()
    {
        if(!
$this->checkToken()) die("Oops, invalid server request . the CSRF not Matched our storage");
    }

   
// auto generate input field from form in html page
   
public function csrfField()
    {
        return
"<input type='hidden' name='" . $this->_tokenName . "' value='" . $this->getToken() . "'>";
    }

   
// delete token session
   
public function destroy()
    {
        unset(
$_SESSION[$this->_tokenName]);
    }

   
// here we just check if token value is submited ($_GET or $_POST only)
   
private function submitedToken()
    {
       
$token = false;

        if(isset(
$_POST[$this->_tokenName]))
           
$token = $_POST[$this->_tokenName];
        elseif(isset(
$_GET[$this->_tokenName]))
           
$token = $_GET[$this->_tokenName];

        return
$token;
    }
}