PHP session::refresh_csrf_token Beispiele

Beispiel #1

Datei: logon.inc.php Projekt: DeannaG65/BeehiveForum

function logon_perform()
{
    // Check to see if the user is logging in as a guest or a normal user.
    if (isset($_POST['guest_logon'])) {
        // Check the Guest account is enabled.
        if (!user_guest_enabled()) {
            return false;
        }
        // Initialise Guest user session.
        session::start(0);
        // Generate new CSRF token
        session::refresh_csrf_token();
        // Update the visitor log
        session::update_visitor_log(0, true);
        // Success
        return true;
    } else {
        if (isset($_POST['user_logon']) && isset($_POST['user_password'])) {
            // Extract the submitted username
            $user_logon = $_POST['user_logon'];
            // Extract the submitted password
            $user_password = $_POST['user_password'];
            // Try and login the user.
            if (($uid = user_logon($user_logon, $user_password)) !== false) {
                // Initialise a user session.
                session::start($uid);
                // Generate new CSRF token
                session::refresh_csrf_token();
                // Update User's last forum visit
                forum_update_last_visit($uid);
                // Update the visitor log
                session::update_visitor_log($uid, true);
                // Check if we should save a token to allow auto logon,
                if (isset($_POST['user_remember']) && $_POST['user_remember'] == 'Y') {
                    // Get a token for the entered password.
                    $user_token = user_generate_token($uid);
                    // Set a cookie with the logon and the token.
                    html_set_cookie('user_logon', $user_logon, time() + YEAR_IN_SECONDS);
                    html_set_cookie('user_token', $user_token, time() + YEAR_IN_SECONDS);
                } else {
                    // Remove the cookie.
                    html_set_cookie('user_logon', '', time() - YEAR_IN_SECONDS);
                    html_set_cookie('user_token', '', time() - YEAR_IN_SECONDS);
                }
                // Success
                return true;
            }
        }
    }
    // Failed
    return false;
}

Beispiel #2

Datei: form.inc.php Projekt: DeannaG65/BeehiveForum

function form_check_csrf_token()
{
    if (!isset($_SERVER['REQUEST_METHOD']) || mb_strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST') {
        return;
    }
    if (in_array(basename($_SERVER['PHP_SELF']), get_csrf_exempt_files()) || defined('BH_DISABLE_CSRF')) {
        return;
    }
    if (!($token_name = forum_get_setting('csrf_token_name'))) {
        html_draw_error(gettext('Sorry, you do not have access to this page.'));
    }
    if (!isset($_POST[$token_name]) || $_POST[$token_name] != session::get_csrf_token()) {
        unset($_POST[$token_name]);
        session::refresh_csrf_token();
        html_draw_error(gettext('Sorry, you do not have access to this page.'));
    }
    unset($_POST[$token_name]);
}

Beispiel #3

Datei: session.inc.php Projekt: DeannaG65/BeehiveForum

 public static function get_csrf_token()
 {
     if (!isset($_SESSION['CSRF_TOKEN']) || !is_string($_SESSION['CSRF_TOKEN'])) {
         session::refresh_csrf_token();
     }
     return $_SESSION['CSRF_TOKEN'];
 }