/** * {@inheritdoc} */ public function __invoke(ServerRequestInterface $request, ResponseInterface $response, \Closure $next) { if (isset($request->getCookieParams()[self::COOKIE])) { $token = $request->getCookieParams()[self::COOKIE]; } else { //Making new token $token = substr(base64_encode(openssl_random_pseudo_bytes(self::TOKEN_LENGTH)), 0, self::TOKEN_LENGTH); //We can alter response cookies $response = $response->withAddedHeader('Set-Cookie', Cookie::create(self::COOKIE, $token, self::LIFETIME, $request->getAttribute('basePath'), $request->getAttribute('cookieDomain'))->packHeader()); } if ($this->isRequired($request) && !$this->compare($token, $this->fetchToken($request))) { //Invalid CSRF token return $response->withStatus(412, 'Bad CSRF Token'); } return $next($request->withAttribute(static::ATTRIBUTE, $token), $response); }
/** * @param Cookie $cookie * @return Cookie */ private function encodeCookie(Cookie $cookie) { if ($this->httpConfig->cookieProtection() == HttpConfig::COOKIE_ENCRYPT) { return $cookie->withValue($this->encrypter()->encrypt($cookie->getValue())); } //VALUE.HMAC return $cookie->withValue($cookie->getValue() . $this->hmacSign($cookie->getValue())); }
/** * @param Request $request * @param string|null $hash * @return string */ protected function cookieHeader(Request $request, $hash) { return Cookie::create($this->cookie, $hash, $this->getLifetime(), $this->httpConfig->basePath(), $this->httpConfig->cookiesDomain($request->getUri()))->createHeader(); }
/** * Generate session cookie. * * @param UriInterface $uri Incoming uri. * @param string $sessionID * @return Cookie */ private function sessionCookie(UriInterface $uri, $sessionID) { return Cookie::create($this->config->sessionCookie(), $sessionID, $this->config->sessionLifetime(), $this->httpConfig->basePath(), $this->httpConfig->cookiesDomain($uri)); }
/** * @param Cookie $cookie * @return Cookie */ private function encodeCookie(Cookie $cookie) { if ($this->config['method'] == self::ENCRYPT) { return $cookie->withValue($this->encrypter()->encrypt($cookie->getValue())); } //MAC return $cookie->withValue($cookie->getValue() . $this->hmacSign($cookie->getValue())); }
/** * Generate CSRF cookie. * * @param UriInterface $uri Incoming uri. * @param string $token * @return Cookie */ protected function tokenCookie(UriInterface $uri, $token) { return Cookie::create($this->httpConfig->csrfCookie(), $token, $this->httpConfig->csrfLifetime(), $this->httpConfig->basePath(), $this->httpConfig->cookiesDomain($uri)); }
/** * Mount session id or remove session cookie. * * @param ServerRequestInterface $request * @param ResponseInterface $response * @param SessionStore $store * @param array $cookies * @return ResponseInterface */ protected function setCookie(ServerRequestInterface $request, ResponseInterface $response, SessionStore $store, array $cookies) { if ($store->isStarted()) { $store->commit(); } if (!isset($cookies[self::COOKIE]) || $cookies[self::COOKIE] != $store->getID()) { if ($response instanceof ResponseInterface) { return $response->withAddedHeader('Set-Cookie', Cookie::create(self::COOKIE, $store->getID(), $store->config()['lifetime'], $request->getAttribute('basePath'), $request->getAttribute('cookieDomain'))->packHeader()); } } return $response; }