/**
* Generates a security token for use in forms.
*
* The token is generated to be as secure as possible. It consists of:
* - the username,
* - the time at which the token was generated,
* - a partial sha256 result of the user's password,
* - the url for which the token is valid,
* - a random salt generated during user creation
*
* The token is the sha256 of: <username>.<time>.<url>.<salt>.<partial_pwd>
*
* The validateToken() method should always be used to check a token's validity.
*
* @see Hash Helper
*
* @param string $url
* @return mixed Returns a valid token or false upon error.
*/
public static final function generateToken($url)
{
use_helper('Hash');
$hash = new Crypt_Hash('sha256');
AuthUser::load();
if (AuthUser::isLoggedIn()) {
$user = AuthUser::getRecord();
$time = microtime(true);
$target_url = str_replace('&', '&', $url);
$pwd = substr(bin2hex($hash->hash($user->password)), 5, 20);
$oldtoken = SecureToken::getToken($user->username, $target_url);
if (false === $oldtoken) {
$oldtoken = new SecureToken();
$oldtoken->username = $user->username;
$oldtoken->url = bin2hex($hash->hash($target_url));
$oldtoken->time = $time;
$oldtoken->save();
} else {
$oldtoken->username = $user->username;
$oldtoken->url = bin2hex($hash->hash($target_url));
$oldtoken->time = $time;
$oldtoken->save();
}
return bin2hex($hash->hash($user->username . $time . $target_url . $pwd . $user->salt));
}
return false;
}
