csrfprotector.php

Summary
csrfprotector.php
Variables
$cookieExpiryTimeexpiry time for cookie @var int
$isSameOriginflag for cross origin/same origin request @var bool
$isValidHTMLflag to check if output file is a valid HTML or not @var bool
$requestTypeVaraible to store weather request type is post or get @var string
$configconfig file for CSRFProtector @var int Array, length = 6 Property: #1: failedAuthAction (int) => action to be taken in case autherisation fails Property: #2: logDirectory (string) => directory in which log will be saved Property: #3: customErrorMessage (string) => custom error message to be sent in case of failed authentication Property: #4: jsFile (string) => location of the CSRFProtector js file Property: #5: tokenLength (int) => default length of hash Property: #6: disabledJavascriptMessage (string) => error message if client’s js is disabled
Functions
initfunction to initialise the csrfProtector work flow
useCachedVersionfunction to check weather to use cached version of js file or not
createNewJsCacheFunction to create new cache version of js
authorisePostfunction to authorise incoming post requests
failedValidationActionfunction to be called in case of failed validation performs logging and take appropriate action
refreshTokenFunction to set auth cookie
generateAuthTokenfunction to generate random hash of length as given in parameter max length = 128
ob_handlerRewrites <form> on the fly to add CSRF tokens to them.
rewriteHTMLFunction to perform static rewriting of forms and URLS
modifyURLFunction to modify url & append CSRF token
logCSRFattackFunctio to log CSRF Attack
getCurrentUrlFunction to return current url of executing page
isURLallowedFunction to check if a url mataches for any urls Listed in config file

Variables

$cookieExpiryTime

public static $cookieExpiryTime

expiry time for cookie @var int

$isSameOrigin

private static $isSameOrigin

flag for cross origin/same origin request @var bool

$isValidHTML

private static $isValidHTML

flag to check if output file is a valid HTML or not @var bool

$requestType

protected static $requestType

Varaible to store weather request type is post or get @var string

$config

public static $config

config file for CSRFProtector @var int Array, length = 6 Property: #1: failedAuthAction (int) => action to be taken in case autherisation fails Property: #2: logDirectory (string) => directory in which log will be saved Property: #3: customErrorMessage (string) => custom error message to be sent in case of failed authentication Property: #4: jsFile (string) => location of the CSRFProtector js file Property: #5: tokenLength (int) => default length of hash Property: #6: disabledJavascriptMessage (string) => error message if client’s js is disabled

Functions

init

public static function init($length =  null,
$action =  null)

function to initialise the csrfProtector work flow

Parameters

$lengthlength of CSRF_AUTH_TOKEN to be generated
$actionint array, for different actions to be taken in case of failed validation

Returns

void

Throws

configFileNotFoundExceptionwhen configuration file is not found

useCachedVersion

public static function useCachedVersion()

function to check weather to use cached version of js file or not

Parameters

void

Returns

bool -- true if cacheversion can be used -- false otherwise

createNewJsCache

public static function createNewJsCache()

Function to create new cache version of js

Parameters

void

Returns

void

Throws

baseJSFileNotFoundExceptioif baseJsFile is not found

authorisePost

public static function authorisePost()

function to authorise incoming post requests

Parameters

void

Returns

void

Throws

logDirectoryNotFoundExceptionif log directory is not found

failedValidationAction

private static function failedValidationAction()

function to be called in case of failed validation performs logging and take appropriate action

Parameters

void

Returns

void

refreshToken

public static function refreshToken()

Function to set auth cookie

Behavior

noJs disabled -- if cookie is set reuse it else set new one noJs disabled -- refresh cookie for every passed validation, js will take care of rest on client side

Parameters

void

Returns

void

generateAuthToken

public static function generateAuthToken()

function to generate random hash of length as given in parameter max length = 128

Parameters

length to hash required, int

Returns

string, token

ob_handler

public static function ob_handler($buffer,
$flags)

Rewrites <form> on the fly to add CSRF tokens to them.  This can also inject our JavaScript library.

Parameters

$bufferoutput buffer to which all output are stored
$flagINT

Return

string, complete output buffer

rewriteHTML

public static function rewriteHTML($buffer)

Function to perform static rewriting of forms and URLS

Parameters

$bufferoutput buffer

Returns

$buffermodified buffer

modifyURL

public static function modifyURL($url,
$token)

Function to modify url & append CSRF token

Parameters

$urlurl to modify
$tokentoken to be added

Returns

modified url

logCSRFattack

private static function logCSRFattack()

Functio to log CSRF Attack

Parameters

void

Retruns

void

Throws

logFileWriteErrorif unable to log an attack

getCurrentUrl

private static function getCurrentUrl()

Function to return current url of executing page

Parameters

void

Returns

stringcurrent url

isURLallowed

public static function isURLallowed($url)

Function to check if a url mataches for any urls Listed in config file

Parameters

$urlurl to check

Returns

booleantrue is url need no validation, false if validation needed
public static $cookieExpiryTime
expiry time for cookie @var int
private static $isSameOrigin
flag for cross origin/same origin request @var bool
private static $isValidHTML
flag to check if output file is a valid HTML or not @var bool
protected static $requestType
Varaible to store weather request type is post or get @var string
public static $config
config file for CSRFProtector @var int Array, length = 6 Property: #1: failedAuthAction (int) => action to be taken in case autherisation fails Property: #2: logDirectory (string) => directory in which log will be saved Property: #3: customErrorMessage (string) => custom error message to be sent in case of failed authentication Property: #4: jsFile (string) => location of the CSRFProtector js file Property: #5: tokenLength (int) => default length of hash Property: #6: disabledJavascriptMessage (string) => error message if client’s js is disabled
public static function init($length =  null,
$action =  null)
function to initialise the csrfProtector work flow
public static function useCachedVersion()
function to check weather to use cached version of js file or not
public static function createNewJsCache()
Function to create new cache version of js
public static function authorisePost()
function to authorise incoming post requests
private static function failedValidationAction()
function to be called in case of failed validation performs logging and take appropriate action
public static function refreshToken()
Function to set auth cookie
public static function generateAuthToken()
function to generate random hash of length as given in parameter max length = 128
public static function ob_handler($buffer,
$flags)
Rewrites form on the fly to add CSRF tokens to them.
public static function rewriteHTML($buffer)
Function to perform static rewriting of forms and URLS
public static function modifyURL($url,
$token)
Function to modify url & append CSRF token
private static function logCSRFattack()
Functio to log CSRF Attack
private static function getCurrentUrl()
Function to return current url of executing page
public static function isURLallowed($url)
Function to check if a url mataches for any urls Listed in config file
Close