Created
May 6, 2012 20:57
-
-
Save kemo/2624359 to your computer and use it in GitHub Desktop.
My Kohana 3.3 Security class with CSRF Validation helper method
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php defined('SYSPATH') or die('No direct script access.'); | |
| class Security extends Kohana_Security { | |
| protected static $_logout_token_name = 'logout_token_key'; | |
| public static $csrf_field = 'token'; | |
| /** | |
| * Creates a validation object to check if the field specified | |
| * is a valid CSRF token inside of Requests POST / GET | |
| * | |
| * If no field is passed, Security::$csrf_field will be used as the name | |
| * | |
| * @param Request $request | |
| * @param string $field (optional) | |
| * @return Validation | |
| */ | |
| public static function csrf_validation(Request $request, $field = NULL) | |
| { | |
| if ($field === NULL) | |
| { | |
| $field = Security::$csrf_field; | |
| } | |
| // Decide if POST or GET should be checked... | |
| $data = ($request->method() === Request::POST) ? $request->post() : $request->query(); | |
| // Return the newly created Validation object | |
| return Validation::factory($data) | |
| ->rule($field, 'not_empty') | |
| ->rule($field, 'Security::check'); | |
| } | |
| /** | |
| * Returns the token required for logout (for GET-based CSRF prevention) | |
| * | |
| * @return string token | |
| */ | |
| public static function logout_token() | |
| { | |
| $session = Session::instance(); | |
| $token = $session->get(Security::$_logout_token_name); | |
| if ( ! $token) | |
| { | |
| $token = sha1(uniqid(NULL, TRUE)); | |
| $session->set(Security::$_logout_token_name, $token); | |
| } | |
| return $token; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment