/** * Regenerates the session. It makes the old session id obsolete and generates a new * session id. * * @access protected * @param \Zepi\Turbo\Request\WebRequest $request */ protected function regenerateSession(WebRequest $request) { // Let the old session expire... $request->setSessionData('isObsolete', true); $request->setSessionData('maxLifetime', time() + 60); // Regenerate the session id but don't delete the old one session_regenerate_id(false); // Get the new session id $newSessionId = session_id(); // Close both sessions to free them for other requests session_write_close(); // Start the session with the new id session_id($newSessionId); session_start(); // Delete the temporary session data $request->deleteSessionData('isObsolete'); $request->deleteSessionData('maxLifetime'); }
/** * Processes all form data * * @access public * @param \Zepi\Turbo\Request\WebRequest $request */ public function processFormData(WebRequest $request) { /** * If there is no csrf-key or csrf-token we return immediately * because this could be a hacker. */ if (!$request->hasParam('csrf-key') || !$request->hasParam('csrf-token')) { return; } /** * Otherwise lookup the csrf-key and csrf-token in the session and * validate them */ $key = $request->getParam('csrf-key'); $token = $request->getParam('csrf-token'); $sessionToken = $request->getSessionData($key); /** * Remove the old token */ $request->deleteSessionData($key); /** * If the token from the form not is equal with the token in the session * we will return here */ if ($sessionToken !== $token) { return; } /** * Process the form data if the csrf tokens are valid */ foreach ($this->getChildrenByType('\\Zepi\\Web\\UserInterface\\Form\\Field\\FieldAbstract') as $field) { if ($request->hasParam($field->getHtmlName())) { $field->setValue($request->getParam($field->getHtmlName()), $request); } } }