public function read($now = 0) { // get cookie $str = null; if (isset($_COOKIE[$this->cookie_name])) { $str = $_COOKIE[$this->cookie_name]; } if (empty($str) || $str == 'deleted') { $this->payload = array(); return self::REASON_MISSING; } // decode any wrappers if (SecureString1::b64_chars($str)) { // if 100% b64 chars, then decode it $str = SecureString1::b64_urldecode($str); } else { // Some proxies will muck with '=' and '&' inspite of // the spec saying these are ok if (strpos($str, '%') !== false) { $str = urldecode($str); // sometimes double encoding happens if (strpos($str, '%') !== false) { $str = urldecode($str); } } } // Now check for cryptographic integrity $ok = SecureString1::validate($str, $this->keys); if (!$ok) { return self::REASON_INVALID; } // from query string to array parse_str($str, $this->payload); // cookie is cryptographically valid, but check for policy on age if ($now === 0) { $now = time(); } $created = $this->payload[SecureString1::PREFIX_CREATED]; $elapsed = $now - $created; if ($elapsed > $this->window) { return self::REASON_EXPIRED; } // Hmmm someone's got a clock skew. I'll you figure out what to do if ($created > $now) { return self::REASON_CLOCK_SKEW; } // valid return self::REASON_OK; }
public function testBase64() { $this->assertEquals("MA..", SecureString1::b64_urlencode("0")); $this->assertEquals("0", SecureString1::b64_urldecode("MA..")); $this->assertTrue(SecureString1::b64_chars("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_.")); $this->assertFalse(SecureString1::b64_chars("~!@#\$%^&*")); // go figure, bad input for base64_input doesn't pop an exception $this->assertEquals('', SecureString1::b64_urldecode("~!@#\$%^&*")); }