From 9bc3ccc02b23304842c0b480cab5756a2c59477e Mon Sep 17 00:00:00 2001 From: Focuslinkstech <45756999+Focuslinkstech@users.noreply.github.com> Date: Wed, 9 Oct 2024 17:24:28 +0100 Subject: [PATCH] Added token expiration: 30 minutes by default --- system/autoload/Csrf.php | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/system/autoload/Csrf.php b/system/autoload/Csrf.php index b6d7efd2..5338dc14 100644 --- a/system/autoload/Csrf.php +++ b/system/autoload/Csrf.php @@ -6,25 +6,46 @@ **/ -class Csrf { - public static function generateToken($length = 16) { +class Csrf +{ + private static $tokenExpiration = 1800; // 30 minutes + + public static function generateToken($length = 16) + { return bin2hex(random_bytes($length)); } - public static function validateToken($token, $storedToken) { + public static function validateToken($token, $storedToken) + { return hash_equals($token, $storedToken); } - public static function check($token) { - if (isset($_SESSION['csrf_token']) && isset($token)) { - return self::validateToken($token, $_SESSION['csrf_token']); + public static function check($token) + { + if (isset($_SESSION['csrf_token'], $_SESSION['csrf_token_time'], $token)) { + $storedToken = $_SESSION['csrf_token']; + $tokenTime = $_SESSION['csrf_token_time']; + + if (time() - $tokenTime > self::$tokenExpiration) { + self::clearToken(); + return false; + } + + return self::validateToken($token, $storedToken); } return false; } - public static function generateAndStoreToken() { + public static function generateAndStoreToken() + { $token = self::generateToken(); $_SESSION['csrf_token'] = $token; + $_SESSION['csrf_token_time'] = time(); return $token; } + + public static function clearToken() + { + unset($_SESSION['csrf_token'], $_SESSION['csrf_token_time']); + } }