MockSecurity
extends Security
in package
Class Security
Provides methods that help protect your site against Cross-Site Request Forgery attacks.
Table of Contents
Constants
- CSRF_PROTECTION_COOKIE = 'cookie'
- CSRF_PROTECTION_SESSION = 'session'
- CSRF_HASH_BYTES = 16
Properties
- $config : Security
- Security Config
- $cookie : Cookie
- The CSRF Cookie instance.
- $cookieName : string
- CSRF Cookie Name (with Prefix)
- $csrfProtection : string
- CSRF Protection Method
- $expires : int
- CSRF Expires
- $hash : string|null
- CSRF Hash (without randomization)
- $headerName : string
- CSRF Header Name
- $redirect : bool
- CSRF Redirect
- $regenerate : bool
- CSRF Regenerate
- $samesite : string
- CSRF SameSite
- $tokenName : string
- CSRF Token Name
- $tokenRandomize : bool
- CSRF Token Randomization
- $hashInCookie : string|null
- CSRF Hash in Request Cookie
- $rawCookieName : string|null
- CSRF Cookie Name without Prefix
- $request : IncomingRequest
- $session : Session|null
- Session instance.
Methods
- __construct() : mixed
- Constructor.
- generateHash() : string
- Generates (Regenerates) the CSRF Hash.
- getCookieName() : string
- Returns the CSRF Cookie Name.
- getHash() : string|null
- Returns the CSRF Token.
- getHeaderName() : string
- Returns the CSRF Header Name.
- getTokenName() : string
- Returns the CSRF Token Name.
- sanitizeFilename() : string
- Sanitize Filename
- shouldRedirect() : bool
- Check if request should be redirect on failure.
- verify() : $this
- CSRF verification.
- derandomize() : string
- Derandomize the token.
- doSendCookie() : void
- randomize() : string
- Randomize hash to avoid BREACH attacks.
- configureCookie() : void
- configureSession() : void
- getPostedToken() : string|null
- isCSRFCookie() : bool
- isHashInCookie() : bool
- removeTokenInRequest() : void
- Remove token in POST or JSON request data
- restoreHash() : void
- Restore hash from Session or Cookie
- saveHashInCookie() : void
- saveHashInSession() : void
Constants
CSRF_PROTECTION_COOKIE
public
mixed
CSRF_PROTECTION_COOKIE
= 'cookie'
CSRF_PROTECTION_SESSION
public
mixed
CSRF_PROTECTION_SESSION
= 'session'
CSRF_HASH_BYTES
protected
mixed
CSRF_HASH_BYTES
= 16
Properties
$config
Security Config
protected
Security
$config
$cookie
The CSRF Cookie instance.
protected
Cookie
$cookie
$cookieName
CSRF Cookie Name (with Prefix)
protected
string
$cookieName
= 'csrf_cookie_name'
Cookie name for Cross Site Request Forgery protection.
$csrfProtection
CSRF Protection Method
Use $this->config->csrfProtection.
protected
string
$csrfProtection
= self::CSRF_PROTECTION_COOKIE
Protection Method for Cross Site Request Forgery protection.
'cookie' or 'session'
$expires
CSRF Expires
Use $this->config->expires.
protected
int
$expires
= 7200
Expiration time for Cross Site Request Forgery protection cookie.
Defaults to two hours (in seconds).
$hash
CSRF Hash (without randomization)
protected
string|null
$hash
Random hash for Cross Site Request Forgery protection.
$headerName
CSRF Header Name
Use $this->config->headerName.
protected
string
$headerName
= 'X-CSRF-TOKEN'
Header name for Cross Site Request Forgery protection.
$redirect
CSRF Redirect
Use $this->config->redirect.
protected
bool
$redirect
= false
Redirect to previous page with error on failure.
$regenerate
CSRF Regenerate
Use $this->config->regenerate.
protected
bool
$regenerate
= true
Regenerate CSRF Token on every request.
$samesite
CSRF SameSite
Config\Cookie $samesite property is used.
protected
string
$samesite
= \CodeIgniter\Cookie\Cookie::SAMESITE_LAX
Setting for CSRF SameSite cookie token.
Allowed values are: None - Lax - Strict - ''.
Defaults to Lax as recommended in this link:
Tags
$tokenName
CSRF Token Name
Use $this->config->tokenName.
protected
string
$tokenName
= 'csrf_token_name'
Token name for Cross Site Request Forgery protection.
$tokenRandomize
CSRF Token Randomization
Use $this->config->tokenRandomize.
protected
bool
$tokenRandomize
= false
$hashInCookie
CSRF Hash in Request Cookie
private
string|null
$hashInCookie
= null
The cookie value is always CSRF hash (without randomization) even if $tokenRandomize is true.
$rawCookieName
CSRF Cookie Name without Prefix
private
string|null
$rawCookieName
= null
$request read-only
private
IncomingRequest
$request
$session
Session instance.
private
Session|null
$session
= null
Methods
__construct()
Constructor.
public
__construct(Security $config) : mixed
Stores our configuration and fires off the init() method to setup initial state.
Parameters
- $config : Security
generateHash()
Generates (Regenerates) the CSRF Hash.
public
generateHash() : string
Return values
stringgetCookieName()
Returns the CSRF Cookie Name.
public
getCookieName() : string
Return values
stringgetHash()
Returns the CSRF Token.
public
getHash() : string|null
Return values
string|nullgetHeaderName()
Returns the CSRF Header Name.
public
getHeaderName() : string
Return values
stringgetTokenName()
Returns the CSRF Token Name.
public
getTokenName() : string
Return values
stringsanitizeFilename()
Sanitize Filename
public
sanitizeFilename(string $str[, bool $relativePath = false ]) : string
Tries to sanitize filenames in order to prevent directory traversal attempts and other security threats, which is particularly useful for files that were supplied via user input.
If it is acceptable for the user input to include relative paths, e.g. file/in/some/approved/folder.txt, you can set the second optional parameter, $relativePath to TRUE.
Parameters
- $str : string
-
Input file name
- $relativePath : bool = false
-
Whether to preserve paths
Return values
stringshouldRedirect()
Check if request should be redirect on failure.
public
shouldRedirect() : bool
Return values
boolverify()
CSRF verification.
public
verify(RequestInterface $request) : $this
Parameters
- $request : RequestInterface
Tags
Return values
$thisderandomize()
Derandomize the token.
protected
derandomize(string $token) : string
Parameters
- $token : string
Tags
Return values
string —CSRF hash
doSendCookie()
protected
doSendCookie() : void
randomize()
Randomize hash to avoid BREACH attacks.
protected
randomize(string $hash) : string
Parameters
- $hash : string
Return values
string —CSRF token
configureCookie()
private
configureCookie(Cookie $cookie) : void
Parameters
- $cookie : Cookie
configureSession()
private
configureSession() : void
getPostedToken()
private
getPostedToken(RequestInterface $request) : string|null
Parameters
- $request : RequestInterface
Return values
string|nullisCSRFCookie()
private
isCSRFCookie() : bool
Return values
boolisHashInCookie()
private
isHashInCookie() : bool
Return values
boolremoveTokenInRequest()
Remove token in POST or JSON request data
private
removeTokenInRequest(RequestInterface $request) : void
Parameters
- $request : RequestInterface
restoreHash()
Restore hash from Session or Cookie
private
restoreHash() : void
saveHashInCookie()
private
saveHashInCookie() : void
saveHashInSession()
private
saveHashInSession() : void