/**
* Regenerates the session. It makes the old session id obsolete and generates a new
* session id.
*
* @access protected
* @param \Zepi\Turbo\Request\WebRequest $request
*/
protected function regenerateSession(WebRequest $request)
{
// Let the old session expire...
$request->setSessionData('isObsolete', true);
$request->setSessionData('maxLifetime', time() + 60);
// Regenerate the session id but don't delete the old one
session_regenerate_id(false);
// Get the new session id
$newSessionId = session_id();
// Close both sessions to free them for other requests
session_write_close();
// Start the session with the new id
session_id($newSessionId);
session_start();
// Delete the temporary session data
$request->deleteSessionData('isObsolete');
$request->deleteSessionData('maxLifetime');
}
/**
* Processes all form data
*
* @access public
* @param \Zepi\Turbo\Request\WebRequest $request
*/
public function processFormData(WebRequest $request)
{
/**
* If there is no csrf-key or csrf-token we return immediately
* because this could be a hacker.
*/
if (!$request->hasParam('csrf-key') || !$request->hasParam('csrf-token')) {
return;
}
/**
* Otherwise lookup the csrf-key and csrf-token in the session and
* validate them
*/
$key = $request->getParam('csrf-key');
$token = $request->getParam('csrf-token');
$sessionToken = $request->getSessionData($key);
/**
* Remove the old token
*/
$request->deleteSessionData($key);
/**
* If the token from the form not is equal with the token in the session
* we will return here
*/
if ($sessionToken !== $token) {
return;
}
/**
* Process the form data if the csrf tokens are valid
*/
foreach ($this->getChildrenByType('\\Zepi\\Web\\UserInterface\\Form\\Field\\FieldAbstract') as $field) {
if ($request->hasParam($field->getHtmlName())) {
$field->setValue($request->getParam($field->getHtmlName()), $request);
}
}
}
