Use a CSRF token on the login form to prevent CSRF attacks.

2015-03-08 17:57:16 +01:00 · 2015-03-08 17:57:16 +01:00 · 3467e77e74
parent 9d6a65b415
commit 3467e77e74
1 changed files with 38 additions and 8 deletions
--- a/PHPCI/Controller/SessionController.php
+++ b/PHPCI/Controller/SessionController.php
@ -43,15 +43,23 @@ class SessionController extends \PHPCI\Controller
        $isLoginFailure = false;

        if ($this->request->getMethod() == 'POST') {
-            $user = $this->userStore->getByEmail($this->getParam('email'));

-            if ($user && password_verify($this->getParam('password', ''), $user->getHash())) {
-                $_SESSION['phpci_user_id']    = $user->getId();
-                $response = new b8\Http\Response\RedirectResponse();
-                $response->setHeader('Location', $this->getLoginRedirect());
-                return $response;
-            } else {
+            $token = $this->getParam('token');
+            if ($token === null || $token !== $_SESSION['login_token']) {
                $isLoginFailure = true;
+            } else {
+                unset($_SESSION['login_token']);
+
+                $user = $this->userStore->getByEmail($this->getParam('email'));
+
+                if ($user && password_verify($this->getParam('password', ''), $user->getHash())) {
+                    $_SESSION['phpci_user_id']    = $user->getId();
+                    $response = new b8\Http\Response\RedirectResponse();
+                    $response->setHeader('Location', $this->getLoginRedirect());
+                    return $response;
+                } else {
+                    $isLoginFailure = true;
+                }
            }
        }

@ -78,9 +86,15 @@ class SessionController extends \PHPCI\Controller
        $pwd->setClass('btn-success');
        $form->addField($pwd);

+        $tokenValue = $this->generateToken();
+        $_SESSION['login_token'] = $tokenValue;
+        $token = new b8\Form\Element\Hidden('token');
+        $token->setValue($tokenValue);
+        $form->addField($token);
+
        $this->view->form = $form->render();
        $this->view->failed = $isLoginFailure;
-        
+
        return $this->view->render();
    }

@ -180,4 +194,20 @@ class SessionController extends \PHPCI\Controller

        return $rtn;
    }
+
+    /** Generate a random token.
+     *
+     * @return string
+     */
+    protected function generateToken()
+    {
+        if(function_exists('openssl_random_pseudo_bytes')) {
+            return bin2hex(openssl_random_pseudo_bytes(16));
+        }
+
+        return sprintf("%04x", mt_rand(0, 0xFFFF))
+            . sprintf("%04x", mt_rand(0, 0xFFFF))
+            . sprintf("%04x", mt_rand(0, 0xFFFF))
+            . sprintf("%04x", mt_rand(0, 0xFFFF));
+    }
 }