/**
* @throws Ajde_Core_Exception_Security
*
* @return Ajde_Http_Request
*/
public static function fromGlobal()
{
$instance = new self();
$post = self::globalPost();
if (!empty($post) && self::requirePostToken() && !self::_isWhitelisted()) {
// Measures against CSRF attacks
$session = new Ajde_Session('AC.Form');
if (!isset($post['_token']) || !$session->has('formTime')) {
$exception = new Ajde_Core_Exception_Security('No form token received or no form time set, bailing out to prevent CSRF attack');
if (config('app.debug') === true) {
Ajde_Http_Response::setResponseType(Ajde_Http_Response::RESPONSE_TYPE_FORBIDDEN);
throw $exception;
} else {
// Prevent inf. loops
unset($_POST);
unset($_REQUEST);
// Rewrite
Ajde_Exception_Log::logException($exception);
Ajde_Http_Response::dieOnCode(Ajde_Http_Response::RESPONSE_TYPE_FORBIDDEN);
}
}
$formToken = $post['_token'];
if (!self::verifyFormToken($formToken) || !self::verifyFormTime()) {
// TODO:
if (!self::verifyFormToken($formToken)) {
$exception = new Ajde_Core_Exception_Security('No matching form token (got ' . self::_getHashFromSession($formToken) . ', expected ' . self::_tokenHash($formToken) . '), bailing out to prevent CSRF attack');
} else {
$exception = new Ajde_Core_Exception_Security('Form token timed out, bailing out to prevent CSRF attack');
}
if (config('app.debug') === true) {
Ajde_Http_Response::setResponseType(Ajde_Http_Response::RESPONSE_TYPE_FORBIDDEN);
throw $exception;
} else {
// Prevent inf. loops
unset($_POST);
unset($_REQUEST);
// Rewrite
Ajde_Exception_Log::logException($exception);
Ajde_Http_Response::dieOnCode(Ajde_Http_Response::RESPONSE_TYPE_FORBIDDEN);
}
}
}
// Security measure, protect $_POST
$global = self::globalGet();
foreach ($global as $key => $value) {
$instance->set($key, $value);
}
$instance->_postData = self::globalPost();
if (!empty($instance->_postData)) {
Ajde_Cache::getInstance()->disable();
}
return $instance;
}
function shutdown()
{
if (($error = error_get_last()) && in_array($error['type'], array(E_ERROR, E_CORE_ERROR, E_COMPILE_ERROR, E_USER_ERROR))) {
$exception = new ErrorException($error['message'], 0, $error['type'], $error['file'], $error['line']);
if (Config::get('debug') === true) {
echo Ajde_Exception_Handler::trace($exception);
} else {
// Use native PHP error log function, as Ajde_Exception_Log does not work
error_log($error['message'] . ', ' . $error['type'] . ', ' . $error['file'] . ', ' . $error['line']);
Ajde_Http_Response::dieOnCode(Ajde_Http_Response::RESPONSE_TYPE_SERVERERROR);
}
}
}
public function __bootstrap()
{
// Session name
session_name(Config::get('ident') . '_session');
// Security
ini_set('session.gc_maxlifetime', Config::get("gcLifetime") * 60);
// PHP session garbage collection timeout in minutes
ini_set('session.use_cookies', 1);
ini_set('session.use_only_cookies', 1);
// @see http://www.php.net/manual/en/session.configuration.php#ini.session.use-only-cookies
// Cookie parameter
$lifetime = Config::get("cookieLifetime");
$path = Config::get('site_path');
$domain = Config::get('cookieDomain');
$secure = Config::get('cookieSecure');
$httponly = Config::get('cookieHttponly');
session_set_cookie_params($lifetime * 60, $path, $domain, $secure, $httponly);
session_cache_limiter('private_no_expire');
// Start the session!
session_start();
// Force send new cookie with updated lifetime (forcing keep-alive)
// @see http://www.php.net/manual/en/function.session-set-cookie-params.php#100672
session_regenerate_id();
// Strengthen session security with REMOTE_ADDR and HTTP_USER_AGENT
// @see http://shiflett.org/articles/session-hijacking
if (isset($_SESSION['client']) && $_SESSION['client'] !== md5($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . Config::get('secret'))) {
session_regenerate_id();
session_destroy();
// TODO:
$exception = new Ajde_Exception('Possible session hijacking detected. Bailing out.');
if (Config::getInstance()->debug === true) {
throw $exception;
} else {
Ajde_Exception_Log::logException($exception);
Ajde_Http_Response::dieOnCode(Ajde_Http_Response::RESPONSE_TYPE_FORBIDDEN);
}
} else {
$_SESSION['client'] = md5($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . Config::get('secret'));
}
// remove cache headers invoked by session_start();
if (version_compare(PHP_VERSION, '5.3.0') >= 0) {
header_remove('X-Powered-By');
}
return true;
}
