deblan/php-censor
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Refactored Csrf form widget. + Added unit tests for Csrt.

Browse source
This commit is contained in:
Dmitry Khomutov 2018-03-12 22:58:12 +07:00
commit 7abd3febc1
No known key found for this signature in database
GPG key ID: EC19426474B37AAC
9 changed files with 175 additions and 103 deletions
Download patch file Download diff file Expand all files Collapse all files

20
src/Form/Element/Csrf.php
View file

@ -6,17 +6,16 @@ use PHPCensor\View;
class Csrf extends Hidden
{
/**
* @var integer
*/
protected $rows = 4;
/**
* @return boolean
*/
public function validate()
{
if ($this->value != $_COOKIE[$this->getName()]) {
$sessionToken = isset($_SESSION['csrf_tokens'][$this->getName()])
? $_SESSION['csrf_tokens'][$this->getName()]
: null;
if ($this->value !== $sessionToken) {
return false;
}
@ -30,9 +29,12 @@ class Csrf extends Hidden
{
parent::onPreRender($view);
$csrf = md5(microtime(true));
$view->csrf = $csrf;
$this->setValue(
rtrim(strtr(base64_encode(random_bytes(32)), '+/', '-_'), '=')
);
setcookie($this->getName(), $csrf);
$view->value = $this->getValue();
$_SESSION['csrf_tokens'][$this->getName()] = $this->getValue();
}
}