bouffeatulm/inc/CSRF.inc.php

<?php
    // Generates a token against CSRF
    // ==============================
    function generate_token($name = '') {
        if(session_id() == '')
            session_start();

        $token = uniqid(rand(), true);

        $_SESSION[$name.'_token'] = $token;
        $_SESSION[$name.'_token_time'] = time();

        return $token;
    }

    // Checks that the anti-CSRF token is correct
    // ==========================================
    function check_token($time, $name = '') {
        if(session_id() == '')
            session_start();

        if(isset($_SESSION[$name.'_token']) && isset($_SESSION[$name.'_token_time']) && (isset($_POST['token']) || isset($_GET['token']))) {
            if(!empty($_POST['token']))
                $token = $_POST['token'];
            else
                $token = $_GET['token'];

            if($_SESSION[$name.'_token'] == $token) {
                if($_SESSION[$name.'_token_time'] >= (time() - (int) $time))
                    return true;
            }
        }
        return false;
    }
CSRF protection Added a simple CSRF protection 2013-08-24 23:53:52 +02:00			`<?php`
			`// Generates a token against CSRF`
Small improvements 2013-08-26 09:52:04 +02:00			`// ==============================`
Display name of the connected user 2013-08-30 22:33:06 +02:00			`function generate_token($name = '') {`
Small improvements 2013-08-26 09:52:04 +02:00			`if(session_id() == '')`
			`session_start();`

CSRF protection Added a simple CSRF protection 2013-08-24 23:53:52 +02:00			`$token = uniqid(rand(), true);`
Small improvements 2013-08-26 09:52:04 +02:00
CSRF protection Added a simple CSRF protection 2013-08-24 23:53:52 +02:00			`$_SESSION[$name.'_token'] = $token;`
			`$_SESSION[$name.'_token_time'] = time();`
Small improvements 2013-08-26 09:52:04 +02:00
CSRF protection Added a simple CSRF protection 2013-08-24 23:53:52 +02:00			`return $token;`
			`}`

			`// Checks that the anti-CSRF token is correct`
Small improvements 2013-08-26 09:52:04 +02:00			`// ==========================================`
Display name of the connected user 2013-08-30 22:33:06 +02:00			`function check_token($time, $name = '') {`
Small improvements 2013-08-26 09:52:04 +02:00			`if(session_id() == '')`
			`session_start();`

CSRF protection enhanced. To be tested... 2013-09-25 22:09:25 +02:00			`if(isset($_SESSION[$name.'_token']) && isset($_SESSION[$name.'_token_time']) && (isset($_POST['token']) \|\| isset($_GET['token']))) {`
			`if(!empty($_POST['token']))`
			`$token = $_POST['token'];`
			`else`
			`$token = $_GET['token'];`

			`if($_SESSION[$name.'_token'] == $token) {`
Small improvements 2013-08-26 09:52:04 +02:00			`if($_SESSION[$name.'_token_time'] >= (time() - (int) $time))`
CSRF protection Added a simple CSRF protection 2013-08-24 23:53:52 +02:00			`return true;`
Small improvements 2013-08-26 09:52:04 +02:00			`}`
			`}`
CSRF protection Added a simple CSRF protection 2013-08-24 23:53:52 +02:00			`return false;`
			`}`