public static function init($length = null, $action = null) { /** * if mod_csrfp already enabled, no verification, no filtering * Already done by mod_csrfp */ if (getenv('mod_csrfp_enabled')) { return; } //start session in case its not if (session_id() == '') { session_start(); } if (!file_exists(__DIR__ . "/../config.php")) { throw new configFileNotFoundException("configuration file not found for CSRFProtector!"); } //load configuration file and properties self::$config = (include __DIR__ . "/../config.php"); //overriding length property if passed in parameters if ($length !== null) { self::$config['tokenLength'] = intval($length); } //action that is needed to be taken in case of failed authorisation if ($action !== null) { self::$config['failedAuthAction'] = $action; } if (self::$config['CSRFP_TOKEN'] == "") { self::$config['CSRFP_TOKEN'] = CSRFP_TOKEN; } //authorise the incoming request self::authorisePost(); if (!isset($_COOKIE[self::$config['CSRFP_TOKEN']]) || !isset($_SESSION[self::$config['CSRFP_TOKEN']]) || $_COOKIE[self::$config['CSRFP_TOKEN']] != $_SESSION[self::$config['CSRFP_TOKEN']]) { self::refreshToken(); } // Initialize output buffering handler ob_start('csrfProtector::ob_handler'); // Set protected by CSRF Protector header header('X-CSRF-Protection: OWASP CSRFP 1.0.0'); }
public static function init($length = null, $action = null) { /* * if mod_csrfp already enabled, no verification, no filtering * Already done by mod_csrfp */ if (getenv('mod_csrfp_enabled')) { return; } //start session in case its not if (session_id() == '') { session_start(); } /* * load configuration file and properties * Check locally for a config.php then check for * a config/csrf_config.php file in the root folder * for composer installations */ $standard_config_location = __DIR__ . "/../config.php"; $composer_config_location = __DIR__ . "/../../../../../config/csrf_config.php"; if (file_exists($standard_config_location)) { self::$config = (include $standard_config_location); } elseif (file_exists($composer_config_location)) { self::$config = (include $composer_config_location); } else { throw new configFileNotFoundException("OWASP CSRFProtector: configuration file not found for CSRFProtector!"); } //overriding length property if passed in parameters if ($length != null) { self::$config['tokenLength'] = intval($length); } //action that is needed to be taken in case of failed authorisation if ($action != null) { self::$config['failedAuthAction'] = $action; } if (self::$config['CSRFP_TOKEN'] == '') { self::$config['CSRFP_TOKEN'] = CSRFP_TOKEN; } // Validate the config if everythings filled out foreach (self::$requiredConfigurations as $value) { if (!isset(self::$config[$value]) || self::$config[$value] == '') { throw new incompleteConfigurationException("OWASP CSRFProtector: Incomplete configuration file!"); exit; } } // Authorise the incoming request self::authorizePost(); // Initialize output buffering handler ob_start('csrfProtector::ob_handler'); if (!isset($_COOKIE[self::$config['CSRFP_TOKEN']]) || !isset($_SESSION[self::$config['CSRFP_TOKEN']]) || !is_array($_SESSION[self::$config['CSRFP_TOKEN']]) || !in_array($_COOKIE[self::$config['CSRFP_TOKEN']], $_SESSION[self::$config['CSRFP_TOKEN']])) { self::refreshToken(); } // Set protected by CSRF Protector header header('X-CSRF-Protection: OWASP CSRFP 1.0.0'); }