/** * @throws Ajde_Core_Exception_Security * * @return Ajde_Http_Request */ public static function fromGlobal() { $instance = new self(); $post = self::globalPost(); if (!empty($post) && self::requirePostToken() && !self::_isWhitelisted()) { // Measures against CSRF attacks $session = new Ajde_Session('AC.Form'); if (!isset($post['_token']) || !$session->has('formTime')) { $exception = new Ajde_Core_Exception_Security('No form token received or no form time set, bailing out to prevent CSRF attack'); if (config('app.debug') === true) { Ajde_Http_Response::setResponseType(Ajde_Http_Response::RESPONSE_TYPE_FORBIDDEN); throw $exception; } else { // Prevent inf. loops unset($_POST); unset($_REQUEST); // Rewrite Ajde_Exception_Log::logException($exception); Ajde_Http_Response::dieOnCode(Ajde_Http_Response::RESPONSE_TYPE_FORBIDDEN); } } $formToken = $post['_token']; if (!self::verifyFormToken($formToken) || !self::verifyFormTime()) { // TODO: if (!self::verifyFormToken($formToken)) { $exception = new Ajde_Core_Exception_Security('No matching form token (got ' . self::_getHashFromSession($formToken) . ', expected ' . self::_tokenHash($formToken) . '), bailing out to prevent CSRF attack'); } else { $exception = new Ajde_Core_Exception_Security('Form token timed out, bailing out to prevent CSRF attack'); } if (config('app.debug') === true) { Ajde_Http_Response::setResponseType(Ajde_Http_Response::RESPONSE_TYPE_FORBIDDEN); throw $exception; } else { // Prevent inf. loops unset($_POST); unset($_REQUEST); // Rewrite Ajde_Exception_Log::logException($exception); Ajde_Http_Response::dieOnCode(Ajde_Http_Response::RESPONSE_TYPE_FORBIDDEN); } } } // Security measure, protect $_POST $global = self::globalGet(); foreach ($global as $key => $value) { $instance->set($key, $value); } $instance->_postData = self::globalPost(); if (!empty($instance->_postData)) { Ajde_Cache::getInstance()->disable(); } return $instance; }
function shutdown() { if (($error = error_get_last()) && in_array($error['type'], array(E_ERROR, E_CORE_ERROR, E_COMPILE_ERROR, E_USER_ERROR))) { $exception = new ErrorException($error['message'], 0, $error['type'], $error['file'], $error['line']); if (Config::get('debug') === true) { echo Ajde_Exception_Handler::trace($exception); } else { // Use native PHP error log function, as Ajde_Exception_Log does not work error_log($error['message'] . ', ' . $error['type'] . ', ' . $error['file'] . ', ' . $error['line']); Ajde_Http_Response::dieOnCode(Ajde_Http_Response::RESPONSE_TYPE_SERVERERROR); } } }
public function __bootstrap() { // Session name session_name(Config::get('ident') . '_session'); // Security ini_set('session.gc_maxlifetime', Config::get("gcLifetime") * 60); // PHP session garbage collection timeout in minutes ini_set('session.use_cookies', 1); ini_set('session.use_only_cookies', 1); // @see http://www.php.net/manual/en/session.configuration.php#ini.session.use-only-cookies // Cookie parameter $lifetime = Config::get("cookieLifetime"); $path = Config::get('site_path'); $domain = Config::get('cookieDomain'); $secure = Config::get('cookieSecure'); $httponly = Config::get('cookieHttponly'); session_set_cookie_params($lifetime * 60, $path, $domain, $secure, $httponly); session_cache_limiter('private_no_expire'); // Start the session! session_start(); // Force send new cookie with updated lifetime (forcing keep-alive) // @see http://www.php.net/manual/en/function.session-set-cookie-params.php#100672 session_regenerate_id(); // Strengthen session security with REMOTE_ADDR and HTTP_USER_AGENT // @see http://shiflett.org/articles/session-hijacking if (isset($_SESSION['client']) && $_SESSION['client'] !== md5($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . Config::get('secret'))) { session_regenerate_id(); session_destroy(); // TODO: $exception = new Ajde_Exception('Possible session hijacking detected. Bailing out.'); if (Config::getInstance()->debug === true) { throw $exception; } else { Ajde_Exception_Log::logException($exception); Ajde_Http_Response::dieOnCode(Ajde_Http_Response::RESPONSE_TYPE_FORBIDDEN); } } else { $_SESSION['client'] = md5($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . Config::get('secret')); } // remove cache headers invoked by session_start(); if (version_compare(PHP_VERSION, '5.3.0') >= 0) { header_remove('X-Powered-By'); } return true; }