CMSimple_XH 開発者ドキュメント
CSRFProtection.php
1 <?php
2 
14 namespace XH;
15 
28 {
34  private $keyName;
35 
41  private $token = null;
42 
50  public function __construct($keyName = 'xh_csrf_token', $perRequest = false)
51  {
52  $this->keyName = $keyName;
53  if (!$perRequest) {
55  if (isset($_SESSION[$this->keyName])) {
56  $this->token = $_SESSION[$this->keyName];
57  }
58  }
59  }
60 
69  public function tokenInput()
70  {
71  if (!isset($this->token)) {
72  $this->token = md5(uniqid(rand()));
73  }
74  $o = '<input type="hidden" name="' . $this->keyName . '" value="'
75  . $this->token . '">';
76  return $o;
77  }
78 
85  public function check()
86  {
87  $submittedToken = isset($_POST[$this->keyName])
88  ? $_POST[$this->keyName]
89  : (isset($_GET[$this->keyName]) ? $_GET[$this->keyName] : '');
91  if (!isset($_SESSION[$this->keyName])
92  || $submittedToken != $_SESSION[$this->keyName]
93  ) {
94  header('HTTP/1.0 403 Forbidden');
95  XH_exit('Invalid CSRF token!');
96  }
97  }
98 
104  public function store()
105  {
106  if (isset($this->token)) {
107  XH_startSession();
108  $_SESSION[$this->keyName] = $this->token;
109  }
110  }
111 }
__construct($keyName='xh_csrf_token', $perRequest=false)
XH_startSession()
Definition: functions.php:2662
XH_exit($status=0)
Definition: functions.php:2401
$o
Definition: cms.php:113