Added token expiration: 30 minutes by default

2024-10-09 17:24:28 +01:00 · 2024-10-09 17:24:28 +01:00 · 9bc3ccc02b
commit 9bc3ccc02b
parent 99e8b20bb3
1 changed files with 28 additions and 7 deletions
--- a/system/autoload/Csrf.php
+++ b/system/autoload/Csrf.php
@ -6,25 +6,46 @@
 **/


-class Csrf {
-    public static function generateToken($length = 16) {
+class Csrf
+{
+    private static $tokenExpiration = 1800; // 30 minutes
+
+    public static function generateToken($length = 16)
+    {
        return bin2hex(random_bytes($length));
    }

-    public static function validateToken($token, $storedToken) {
+    public static function validateToken($token, $storedToken)
+    {
        return hash_equals($token, $storedToken);
    }

-    public static function check($token) {
-        if (isset($_SESSION['csrf_token']) && isset($token)) {
-            return self::validateToken($token, $_SESSION['csrf_token']);
+    public static function check($token)
+    {
+        if (isset($_SESSION['csrf_token'], $_SESSION['csrf_token_time'], $token)) {
+            $storedToken = $_SESSION['csrf_token'];
+            $tokenTime = $_SESSION['csrf_token_time'];
+
+            if (time() - $tokenTime > self::$tokenExpiration) {
+                self::clearToken();
+                return false;
+            }
+
+            return self::validateToken($token, $storedToken);
        }
        return false;
    }

-    public static function generateAndStoreToken() {
+    public static function generateAndStoreToken()
+    {
        $token = self::generateToken();
        $_SESSION['csrf_token'] = $token;
+        $_SESSION['csrf_token_time'] = time();
        return $token;
    }
+
+    public static function clearToken()
+    {
+        unset($_SESSION['csrf_token'], $_SESSION['csrf_token_time']);
+    }
 }