From 9bc3ccc02b23304842c0b480cab5756a2c59477e Mon Sep 17 00:00:00 2001
From: Focuslinkstech <45756999+Focuslinkstech@users.noreply.github.com>
Date: Wed, 9 Oct 2024 17:24:28 +0100
Subject: [PATCH] Added token expiration: 30 minutes by default
---
system/autoload/Csrf.php | 35 ++++++++++++++++++++++++++++-------
1 file changed, 28 insertions(+), 7 deletions(-)
diff --git a/system/autoload/Csrf.php b/system/autoload/Csrf.php
index b6d7efd2..5338dc14 100644
--- a/system/autoload/Csrf.php
+++ b/system/autoload/Csrf.php
@@ -6,25 +6,46 @@
**/
-class Csrf {
- public static function generateToken($length = 16) {
+class Csrf
+{
+ private static $tokenExpiration = 1800; // 30 minutes
+
+ public static function generateToken($length = 16)
+ {
return bin2hex(random_bytes($length));
}
- public static function validateToken($token, $storedToken) {
+ public static function validateToken($token, $storedToken)
+ {
return hash_equals($token, $storedToken);
}
- public static function check($token) {
- if (isset($_SESSION['csrf_token']) && isset($token)) {
- return self::validateToken($token, $_SESSION['csrf_token']);
+ public static function check($token)
+ {
+ if (isset($_SESSION['csrf_token'], $_SESSION['csrf_token_time'], $token)) {
+ $storedToken = $_SESSION['csrf_token'];
+ $tokenTime = $_SESSION['csrf_token_time'];
+
+ if (time() - $tokenTime > self::$tokenExpiration) {
+ self::clearToken();
+ return false;
+ }
+
+ return self::validateToken($token, $storedToken);
}
return false;
}
- public static function generateAndStoreToken() {
+ public static function generateAndStoreToken()
+ {
$token = self::generateToken();
$_SESSION['csrf_token'] = $token;
+ $_SESSION['csrf_token_time'] = time();
return $token;
}
+
+ public static function clearToken()
+ {
+ unset($_SESSION['csrf_token'], $_SESSION['csrf_token_time']);
+ }
}