CodeIgniter v4.6 API

MockSecurity extends Security
in package

Class Security

Provides methods that help protect your site against Cross-Site Request Forgery attacks.

Table of Contents

Constants

CSRF_PROTECTION_COOKIE  = 'cookie'
CSRF_PROTECTION_SESSION  = 'session'
CSRF_HASH_BYTES  = 16

Properties

$config  : Security
Security Config
$cookie  : Cookie
The CSRF Cookie instance.
$cookieName  : string
CSRF Cookie Name (with Prefix)
$csrfProtection  : string
CSRF Protection Method
$expires  : int
CSRF Expires
$hash  : string|null
CSRF Hash (without randomization)
$headerName  : string
CSRF Header Name
$redirect  : bool
CSRF Redirect
$regenerate  : bool
CSRF Regenerate
$samesite  : string
CSRF SameSite
$tokenName  : string
CSRF Token Name
$tokenRandomize  : bool
CSRF Token Randomization

Methods

__construct()  : mixed
Constructor.
generateHash()  : string
Generates (Regenerates) the CSRF Hash.
getCookieName()  : string
Returns the CSRF Cookie Name.
getHash()  : string|null
Returns the CSRF Token.
getHeaderName()  : string
Returns the CSRF Header Name.
getTokenName()  : string
Returns the CSRF Token Name.
sanitizeFilename()  : string
Sanitize Filename
shouldRedirect()  : bool
Check if request should be redirect on failure.
verify()  : $this
CSRF verification.
derandomize()  : string
Derandomize the token.
doSendCookie()  : void
randomize()  : string
Randomize hash to avoid BREACH attacks.

Constants

CSRF_PROTECTION_COOKIE

public mixed CSRF_PROTECTION_COOKIE = 'cookie'

CSRF_PROTECTION_SESSION

public mixed CSRF_PROTECTION_SESSION = 'session'

CSRF_HASH_BYTES

protected mixed CSRF_HASH_BYTES = 16

Properties

$config

Security Config

protected Security $config

$cookieName

CSRF Cookie Name (with Prefix)

protected string $cookieName = 'csrf_cookie_name'

Cookie name for Cross Site Request Forgery protection.

$csrfProtection

CSRF Protection Method

Use $this->config->csrfProtection.

protected string $csrfProtection = self::CSRF_PROTECTION_COOKIE

Protection Method for Cross Site Request Forgery protection.

'cookie' or 'session'

$expires

CSRF Expires

Use $this->config->expires.

protected int $expires = 7200

Expiration time for Cross Site Request Forgery protection cookie.

Defaults to two hours (in seconds).

$hash

CSRF Hash (without randomization)

protected string|null $hash

Random hash for Cross Site Request Forgery protection.

$headerName

CSRF Header Name

Use $this->config->headerName.

protected string $headerName = 'X-CSRF-TOKEN'

Header name for Cross Site Request Forgery protection.

$redirect

CSRF Redirect

Use $this->config->redirect.

protected bool $redirect = false

Redirect to previous page with error on failure.

$regenerate

CSRF Regenerate

Use $this->config->regenerate.

protected bool $regenerate = true

Regenerate CSRF Token on every request.

$samesite

CSRF SameSite

Config\Cookie $samesite property is used.

protected string $samesite = \CodeIgniter\Cookie\Cookie::SAMESITE_LAX

Setting for CSRF SameSite cookie token.

Allowed values are: None - Lax - Strict - ''.

Defaults to Lax as recommended in this link:

Tags
see
https://portswigger.net/web-security/csrf/samesite-cookies

$tokenName

CSRF Token Name

Use $this->config->tokenName.

protected string $tokenName = 'csrf_token_name'

Token name for Cross Site Request Forgery protection.

$tokenRandomize

CSRF Token Randomization

Use $this->config->tokenRandomize.

protected bool $tokenRandomize = false

Methods

__construct()

Constructor.

public __construct(Security $config) : mixed

Stores our configuration and fires off the init() method to setup initial state.

Parameters
$config : Security

generateHash()

Generates (Regenerates) the CSRF Hash.

public generateHash() : string
Return values
string

getCookieName()

Returns the CSRF Cookie Name.

public getCookieName() : string
Return values
string

getHash()

Returns the CSRF Token.

public getHash() : string|null
Return values
string|null

getHeaderName()

Returns the CSRF Header Name.

public getHeaderName() : string
Return values
string

getTokenName()

Returns the CSRF Token Name.

public getTokenName() : string
Return values
string

sanitizeFilename()

Sanitize Filename

public sanitizeFilename(string $str[, bool $relativePath = false ]) : string

Use sanitize_filename() instead

Tries to sanitize filenames in order to prevent directory traversal attempts and other security threats, which is particularly useful for files that were supplied via user input.

If it is acceptable for the user input to include relative paths, e.g. file/in/some/approved/folder.txt, you can set the second optional parameter, $relativePath to TRUE.

Parameters
$str : string

Input file name

$relativePath : bool = false

Whether to preserve paths

Return values
string

shouldRedirect()

Check if request should be redirect on failure.

public shouldRedirect() : bool
Return values
bool

derandomize()

Derandomize the token.

protected derandomize(string $token) : string
Parameters
$token : string
Tags
params

string $token CSRF token

throws
InvalidArgumentException

"hex2bin(): Hexadecimal input string must have an even length"

Return values
string

CSRF hash

randomize()

Randomize hash to avoid BREACH attacks.

protected randomize(string $hash) : string
Parameters
$hash : string
Return values
string

CSRF token


        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results