/** * Validates whether a given secure token is still valid. * * The validateToken() method validates the token is valid by checking: * - that the token is not expired (through the time), * - the token is valid for this user, * - the token is valid for this url * * It does so by reconstructing the token. If at any time during the valid * period of the token, the username, user password or the url changed, the * token is considered invalid. * * The token is also considered invalid if more than SecureToken::EXPIRES seconds * have passed. * * @param string $token The token. * @param string $url The url for which the token was generated. * @return boolean True if the token is valid, otherwise false. */ public static final function validateToken($token, $url) { use_helper('Hash'); $hash = new Crypt_Hash('sha256'); AuthUser::load(); if (AuthUser::isLoggedIn()) { $user = AuthUser::getRecord(); $target_url = str_replace('&', '&', $url); $pwd = substr(bin2hex($hash->hash($user->password)), 5, 20); $time = SecureToken::getTokenTime($user->username, $target_url); if (microtime(true) - $time > self::EXPIRES) { return false; } return bin2hex($hash->hash($user->username . $time . $target_url . $pwd . $user->salt)) === $token; } return false; }