CodeIgniter v4.5 API

Security
in package
implements SecurityInterface

Class Security

Provides methods that help protect your site against Cross-Site Request Forgery attacks.

Tags
see
SecurityTest

Table of Contents

Interfaces

SecurityInterface
Expected behavior of a Security.

Constants

CSRF_PROTECTION_COOKIE  = 'cookie'
CSRF_PROTECTION_SESSION  = 'session'
CSRF_HASH_BYTES  = 16

Properties

$config  : Security
Security Config
$cookie  : Cookie
The CSRF Cookie instance.
$cookieName  : string
CSRF Cookie Name (with Prefix)
$csrfProtection  : string
CSRF Protection Method
$expires  : int
CSRF Expires
$hash  : string|null
CSRF Hash (without randomization)
$headerName  : string
CSRF Header Name
$redirect  : bool
CSRF Redirect
$regenerate  : bool
CSRF Regenerate
$samesite  : string
CSRF SameSite
$tokenName  : string
CSRF Token Name
$tokenRandomize  : bool
CSRF Token Randomization
$hashInCookie  : string|null
CSRF Hash in Request Cookie
$rawCookieName  : string|null
CSRF Cookie Name without Prefix
$request  : IncomingRequest
$session  : Session|null
Session instance.

Methods

__construct()  : mixed
Constructor.
generateHash()  : string
Generates (Regenerates) the CSRF Hash.
getCookieName()  : string
Returns the CSRF Cookie Name.
getHash()  : string|null
Returns the CSRF Token.
getHeaderName()  : string
Returns the CSRF Header Name.
getTokenName()  : string
Returns the CSRF Token Name.
sanitizeFilename()  : string
Sanitize Filename
shouldRedirect()  : bool
Check if request should be redirect on failure.
verify()  : $this
CSRF verification.
derandomize()  : string
Derandomize the token.
randomize()  : string
Randomize hash to avoid BREACH attacks.
configureCookie()  : void
configureSession()  : void
getPostedToken()  : string|null
isCSRFCookie()  : bool
isHashInCookie()  : bool
removeTokenInRequest()  : void
Remove token in POST or JSON request data
restoreHash()  : void
Restore hash from Session or Cookie
saveHashInCookie()  : void
saveHashInSession()  : void

Constants

CSRF_PROTECTION_COOKIE

public mixed CSRF_PROTECTION_COOKIE = 'cookie'

CSRF_PROTECTION_SESSION

public mixed CSRF_PROTECTION_SESSION = 'session'

CSRF_HASH_BYTES

protected mixed CSRF_HASH_BYTES = 16

Properties

$config

Security Config

protected Security $config

$cookieName

CSRF Cookie Name (with Prefix)

protected string $cookieName = 'csrf_cookie_name'

Cookie name for Cross Site Request Forgery protection.

$csrfProtection

CSRF Protection Method

Use $this->config->csrfProtection.

protected string $csrfProtection = self::CSRF_PROTECTION_COOKIE

Protection Method for Cross Site Request Forgery protection.

'cookie' or 'session'

$expires

CSRF Expires

Use $this->config->expires.

protected int $expires = 7200

Expiration time for Cross Site Request Forgery protection cookie.

Defaults to two hours (in seconds).

$hash

CSRF Hash (without randomization)

protected string|null $hash

Random hash for Cross Site Request Forgery protection.

$headerName

CSRF Header Name

Use $this->config->headerName.

protected string $headerName = 'X-CSRF-TOKEN'

Header name for Cross Site Request Forgery protection.

$redirect

CSRF Redirect

Use $this->config->redirect.

protected bool $redirect = false

Redirect to previous page with error on failure.

$regenerate

CSRF Regenerate

Use $this->config->regenerate.

protected bool $regenerate = true

Regenerate CSRF Token on every request.

$samesite

CSRF SameSite

Config\Cookie $samesite property is used.

protected string $samesite = \CodeIgniter\Cookie\Cookie::SAMESITE_LAX

Setting for CSRF SameSite cookie token.

Allowed values are: None - Lax - Strict - ''.

Defaults to Lax as recommended in this link:

Tags
see
https://portswigger.net/web-security/csrf/samesite-cookies

$tokenName

CSRF Token Name

Use $this->config->tokenName.

protected string $tokenName = 'csrf_token_name'

Token name for Cross Site Request Forgery protection.

$tokenRandomize

CSRF Token Randomization

Use $this->config->tokenRandomize.

protected bool $tokenRandomize = false

$hashInCookie

CSRF Hash in Request Cookie

private string|null $hashInCookie = null

The cookie value is always CSRF hash (without randomization) even if $tokenRandomize is true.

$rawCookieName

CSRF Cookie Name without Prefix

private string|null $rawCookieName = null

Methods

__construct()

Constructor.

public __construct(Security $config) : mixed

Stores our configuration and fires off the init() method to setup initial state.

Parameters
$config : Security

generateHash()

Generates (Regenerates) the CSRF Hash.

public generateHash() : string
Return values
string

getCookieName()

Returns the CSRF Cookie Name.

public getCookieName() : string
Return values
string

getHash()

Returns the CSRF Token.

public getHash() : string|null
Return values
string|null

getHeaderName()

Returns the CSRF Header Name.

public getHeaderName() : string
Return values
string

getTokenName()

Returns the CSRF Token Name.

public getTokenName() : string
Return values
string

sanitizeFilename()

Sanitize Filename

public sanitizeFilename(string $str[, bool $relativePath = false ]) : string

Tries to sanitize filenames in order to prevent directory traversal attempts and other security threats, which is particularly useful for files that were supplied via user input.

If it is acceptable for the user input to include relative paths, e.g. file/in/some/approved/folder.txt, you can set the second optional parameter, $relativePath to TRUE.

Parameters
$str : string

Input file name

$relativePath : bool = false

Whether to preserve paths

Return values
string

shouldRedirect()

Check if request should be redirect on failure.

public shouldRedirect() : bool
Return values
bool

derandomize()

Derandomize the token.

protected derandomize(string $token) : string
Parameters
$token : string
Tags
params

string $token CSRF token

throws
InvalidArgumentException

"hex2bin(): Hexadecimal input string must have an even length"

Return values
string

CSRF hash

randomize()

Randomize hash to avoid BREACH attacks.

protected randomize(string $hash) : string
Parameters
$hash : string
Tags
params

string $hash CSRF hash

Return values
string

CSRF token

configureCookie()

private configureCookie(Cookie $cookie) : void
Parameters
$cookie : Cookie

configureSession()

private configureSession() : void

isCSRFCookie()

private isCSRFCookie() : bool
Return values
bool

isHashInCookie()

private isHashInCookie() : bool
Return values
bool

restoreHash()

Restore hash from Session or Cookie

private restoreHash() : void

saveHashInCookie()

private saveHashInCookie() : void

saveHashInSession()

private saveHashInSession() : void 

        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results