-
Notifications
You must be signed in to change notification settings - Fork 1
/
CSRF.php
101 lines (100 loc) · 3.09 KB
/
CSRF.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
<?php
/*
* PHP Lib Block CSRF Attempt.
* ********************************
* @Author: Machiavel
* @Telegram: @MachiavelSST
* ********************************
*/
class CSRF {
public function __construct(){
$this->getToken = "CSRF-Token";
$this->getExpire = "CSRF-Expire";
$this->getCookie = "X-CSRF-TOKEN";
$this->tokenTime = 600; /* Expire in seconds */
@ob_start();
@session_start();
}
private function isValid($element){
return array_key_exists($element, $_SESSION) ? true : false;
}
private function getElement($element){
if($this->isValid($element))
return $_SESSION[$element];
}
private function create(array $parameters = []){
if(!empty($parameters)){
foreach($parameters as $element => $value){
$_SESSION[$element] = $value;
}
}
}
private function checkExpire(){
if($this->isValid($this->getExpire)){
$timeout = time() - $this->getElement($this->getExpire);
return $timeout < $this->tokenTime ? true : false;
}
return false;
}
private function checkClient(){
if(isset($_COOKIE[$this->getCookie])){
$client = explode('refCS', $this->getElement($this->getToken));
$ipAddress = $client[1];
$userAgent = $client[2];
return password_verify($this->getElement($this->getToken), $_COOKIE[$this->getCookie]) && $this->getIP() == $ipAddress && $this->getUA() == $userAgent ? true : false;
}
return false;
}
private function getIP(){
$headers = ['HTTP_CF_CONNECTING_IP', 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR'];
foreach($headers as $header){
$IPHeader = !empty($_SERVER[$header]) ? $header : 'REMOTE_ADDR';
if(filter_var($_SERVER[$IPHeader], FILTER_VALIDATE_IP)) {
$IP = str_replace(array('.',':','::'), array('','',''), $_SERVER[$IPHeader]);
return $IP;
}
}
return "127001";
}
private function getUA(){
$UA = isset($_SERVER['HTTP_USER_AGENT']) ? md5(preg_replace('/[^A-Za-z0-9\-]/', '', $_SERVER['HTTP_USER_AGENT'])) : md5(rand());
return $UA;
}
private function newToken(){
$token = md5(uniqid(rand(), true)) . session_id() . count($_SESSION) . count($_SERVER) . "refCS" . $this->getIP() . "refCS" . $this->getUA();
return $token;
}
private function endToken(){
foreach([$this->getToken, $this->getExpire] as $element){
unset($_SESSION[$element]);
}
}
public function getToken(){
switch(true){
case !$this->isValid($this->getToken):
case !$this->checkExpire():
$this->create([
$this->getToken => $this->newToken(),
$this->getExpire => time()
]);
setcookie($this->getCookie, password_hash($this->getElement($this->getToken), PASSWORD_DEFAULT), time()+$this->tokenTime, "/");
default:
return $this->getElement($this->getToken);
}
}
public function checkToken($value){
switch(true){
case !$this->isValid($this->getToken):
case !$this->checkExpire():
case !$this->checkClient():
case $value != $this->getElement($this->getToken):
$this->endToken();
return false;
default:
/* Token is valid, request accepted. */
$this->endToken();
return true;
}
}
}
?>