From b3f10a23e4eb51f9236af0647eee4607776fee23 Mon Sep 17 00:00:00 2001 From: Derek Jones Date: Sun, 25 Jul 2010 19:11:26 -0500 Subject: separated the CSRF cookie name from the token, forced new token on successful POST --- system/libraries/Security.php | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) (limited to 'system') diff --git a/system/libraries/Security.php b/system/libraries/Security.php index c8d435046..29ac2612b 100644 --- a/system/libraries/Security.php +++ b/system/libraries/Security.php @@ -29,7 +29,8 @@ class CI_Security { var $csrf_hash = ''; var $csrf_expire = 7200; // Two hours (in seconds) var $csrf_token_name = 'ci_csrf_token'; - + var $csfr_cookie_name = 'ci_csrf_token'; + /* never allowed, string replacement */ var $never_allowed_str = array( 'document.cookie' => '[removed]', @@ -52,6 +53,9 @@ class CI_Security { function CI_Security() { + // Append application specific cookie prefix to token name + $this->csfr_cookie_name = (config_item('cookie_prefix')) ? config_item('cookie_prefix').$this->csrf_token_name : $this->csrf_token_name; + // Set the CSRF hash $this->_csrf_set_hash(); @@ -74,23 +78,25 @@ class CI_Security { return $this->csrf_set_cookie(); } - // Append application specific cookie prefix to token name - $csrf_token_name = (config_item('cookie_prefix')) ? config_item('cookie_prefix').$this->csrf_token_name : $this->csrf_token_name; - // Do the tokens exist in both the _POST and _COOKIE arrays? - if ( ! isset($_POST[$this->csrf_token_name]) OR ! isset($_COOKIE[$csrf_token_name])) + if ( ! isset($_POST[$this->csrf_token_name]) OR ! isset($_COOKIE[$this->csfr_cookie_name])) { $this->csrf_show_error(); } // Do the tokens match? - if ($_POST[$this->csrf_token_name] != $_COOKIE[$csrf_token_name]) + if ($_POST[$this->csrf_token_name] != $_COOKIE[$this->csfr_cookie_name]) { $this->csrf_show_error(); } // We kill this since we're done and we don't want to polute the _POST array unset($_POST[$this->csrf_token_name]); + + // Nothing should last forever + unset($_COOKIE[$this->csfr_cookie_name]); + $this->_csrf_set_hash(); + $this->csrf_set_cookie(); log_message('debug', "CSRF token verified "); } @@ -105,11 +111,9 @@ class CI_Security { */ function csrf_set_cookie() { - $prefix = ( ! is_string(config_item('cookie_prefix'))) ? '' : config_item('cookie_prefix'); - $expire = time() + $this->csrf_expire; - setcookie($prefix.$this->csrf_token_name, $this->csrf_hash, $expire, config_item('cookie_path'), config_item('cookie_domain'), 0); + setcookie($this->csfr_cookie_name, $this->csrf_hash, $expire, config_item('cookie_path'), config_item('cookie_domain'), 0); log_message('debug', "CRSF cookie Set"); } @@ -128,9 +132,9 @@ class CI_Security { { // If the cookie exists we will use it's value. We don't necessarily want to regenerate it with // each page load since a page could contain embedded sub-pages causing this feature to fail - if (isset($_COOKIE[$this->csrf_token_name]) AND $_COOKIE[$this->csrf_token_name] != '') + if (isset($_COOKIE[$this->csfr_cookie_name]) AND $_COOKIE[$this->csfr_cookie_name] != '') { - $this->csrf_hash = $_COOKIE[$this->csrf_token_name]; + $this->csrf_hash = $_COOKIE[$this->csfr_cookie_name]; } else { @@ -138,9 +142,6 @@ class CI_Security { } } - // Create the cookie before we finish up - $this->csrf_set_cookie(); - return $this->csrf_hash; } -- cgit v1.2.3-24-g4f1b