Using this:
function nonce($str,$expires){
return sha1(date('Y-m-d H:i',ceil(time()/$expires)*$expires).$_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'].$salt.$str);
}
Let's say I initialize my session_id after I log in, also generating a thumbprint, like this:
session_regenerate_id();
$_SESSION['thumbprint']=nonce(session_id().'thumbprint',86400);
And call these:
function valid_session(){
return ($_SESSION['thumbprint']==nonce(session_id().'thumbprint',86400));
}
function logged_in(){
return (valid_session()&&isset($_SESSION['user']['id'])&&isset($_SESSION['user']['typeid'])&&isset($_SESSION['user']['email']));
}
At the top of every page:
if(logged_in==false){//logout & redirect back to index}
With a thumbprint under such scrutiny do I even need to make tokens for each function call or is this implimentation sufficient to protect against CSRF?
::: 86400 is 24 hours which I realize is a long time. Is that too long to realy on a unique ID for?
::: When I say secure functions I mean functions could be secured by using the same nonce or a token.