dongpo0409 2013-11-15 19:38
浏览 189
已采纳

CSRF会话令牌无效

My session is not being set and I'm not sure why...

public static function generate( $key )
{
    $extra = self::$doOriginCheck ? sha1( $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] ) : '';
    $token = base64_encode( time() . $extra . self::randomString( 32 ) );
    $_SESSION[ 'csrf_' . $key ] = $token;
    return $token;
}

I use that to generate a key. On my log in form, after including my session file, I use:

$token = CSRF::generate("token"); // class name is CSRF

I then use it $token as a hidden value which is submitted along with the form.

Now to check it, I use a function called check() (this is the part where the exception is thrown:

public static function check( $key, $origin, $throwException=false, $timespan=null, $multiple=false )
    {
        if ( !isset( $_SESSION[ 'csrf_' . $key ] ) )
            if($throwException)
                throw new Exception( 'Missing session token.' );
            else
                return false;
                ....

I'm checking it as following:

CSRF::check($token, $_POST, true, 60*10, false);

($token is the token submitted). Why is is not saving the token in the session?

  • 写回答

1条回答 默认 最新

  • dozr162106 2013-11-15 19:41
    关注

    You're passing $token in as the first parameter for CSRF::check(). Surely, it should be:

    CSRF::check('token', $_POST, true, 60*10, false);
    

    instead of

    CSRF::check($token, $_POST, true, 60*10, false);
    

    Seeing as you're setting the key as 'token' in CSRF::generate? Otherwise:

    if ( !isset( $_SESSION[ 'csrf_' . $key ] ) )
    

    will be something like:

    if ( !isset( $_SESSION[ 'csrf_hed97988hdbnbnuihg07dede89723tg7yihoi3dh' ] ) )
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?