/** * Generates a security token for use in forms. * * The token is generated to be as secure as possible. It consists of: * - the username, * - the time at which the token was generated, * - a partial sha256 result of the user's password, * - the url for which the token is valid, * - a random salt generated during user creation * * The token is the sha256 of: <username>.<time>.<url>.<salt>.<partial_pwd> * * The validateToken() method should always be used to check a token's validity. * * @see Hash Helper * * @param string $url * @return mixed Returns a valid token or false upon error. */ public static final function generateToken($url) { use_helper('Hash'); $hash = new Crypt_Hash('sha256'); AuthUser::load(); if (AuthUser::isLoggedIn()) { $user = AuthUser::getRecord(); $time = microtime(true); $target_url = str_replace('&', '&', $url); $pwd = substr(bin2hex($hash->hash($user->password)), 5, 20); $oldtoken = SecureToken::getToken($user->username, $target_url); if (false === $oldtoken) { $oldtoken = new SecureToken(); $oldtoken->username = $user->username; $oldtoken->url = bin2hex($hash->hash($target_url)); $oldtoken->time = $time; $oldtoken->save(); } else { $oldtoken->username = $user->username; $oldtoken->url = bin2hex($hash->hash($target_url)); $oldtoken->time = $time; $oldtoken->save(); } return bin2hex($hash->hash($user->username . $time . $target_url . $pwd . $user->salt)); } return false; }