class SecureRequestHelper

Helper cass to deal with secure requests

Properties

protected $_csrf_cookiename
protected $_csrf_submittedvaluename
protected $_csrf_hashsecret
protected $_browserInterface

Methods

__construct(string $csrf_cookiename = '_CSRF_', string $csrf_submittedvaluename = '_FORM_CSRF_', string $csrf_hashsecret = '_hash_secret_')

Constructor

setBrowserInterface(AbstractBrowserInterface $intf)

Set the browser interface ; used in unit testing

string
getCSRFCookieName()

Get CSRF cookie name

string
getCSRFCookie()

Get CSRF cookie value

string
getHashedCSRFCookie()

Get a hashed CSRF value with a secret (useful to pass the CSRF submitted value as a GET parameter, without disclosing the CSRF cookie value in browser history, cache, etc.)

string
getCSRFSubmittedValueName()

Get CSRF submitted value name

initializeCSRF()

Initialize security layer (sends a CSRF cookie to the browser)

revokeCSRF()

Revoke CSRF cookie

bool
authorizeCSRF(array $request)

Authorize a request with CSRF security (double-submitted CSRF cookie pattern)

string
addCSRFHiddenInput()

Get the HTML for an hidden CSRF field

Details

at line 37
__construct(string $csrf_cookiename = '_CSRF_', string $csrf_submittedvaluename = '_FORM_CSRF_', string $csrf_hashsecret = '_hash_secret_')

Constructor

Parameters

string $csrf_cookiename Name of CSRF cookie
string $csrf_submittedvaluename Name of CSRF value submitted along the request (double CSRF cookie submit pattern)
string $csrf_hashsecret Secret to use when computing a hashed CSRF submitted value

at line 52
setBrowserInterface(AbstractBrowserInterface $intf)

Set the browser interface ; used in unit testing

Parameters

AbstractBrowserInterface $intf

at line 64
string getCSRFCookieName()

Get CSRF cookie name

Return Value

string

at line 77
string getCSRFCookie()

Get CSRF cookie value

Return Value

string

Exceptions

CSRFException Thrown if the CSRF layer has not been initialized

at line 95
string getHashedCSRFCookie()

Get a hashed CSRF value with a secret (useful to pass the CSRF submitted value as a GET parameter, without disclosing the CSRF cookie value in browser history, cache, etc.)

The secret must be passed as a constructor parameter.

Return Value

string Returns the hashed CSRF value prefixed with '!' as a flag

at line 107
string getCSRFSubmittedValueName()

Get CSRF submitted value name

Return Value

string

at line 117
initializeCSRF()

Initialize security layer (sends a CSRF cookie to the browser)

at line 128
revokeCSRF()

Revoke CSRF cookie

at line 142
bool authorizeCSRF(array $request)

Authorize a request with CSRF security (double-submitted CSRF cookie pattern)

Parameters

array $request

Return Value

bool Returns TRUE if request is authorized

Exceptions

CSRFException Thrown if the request has not been authorized

at line 171
string addCSRFHiddenInput()

Get the HTML for an hidden CSRF field

Return Value

string

Exceptions

CSRFException Thrown if the CSRF layer has not been initialized