Projekte/web-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CSRF Token + small fixes

Browse Source
This commit is contained in:
Roman Hergenreder
2020-06-14 19:39:52 +02:00
parent 8fc0b4bb05
commit f87fdc83ae
17 changed files with 83 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
core/Objects/Session.class.php
View File

@@ -19,15 +19,17 @@ class Session extends ApiObject {
private ?string $os;
private ?string $browser;
private bool $stayLoggedIn;
private string $csrfToken;
public function __construct(User $user, ?int $sessionId) {
public function __construct(User $user, ?int $sessionId, ?string $csrfToken) {
$this->user = $user;
$this->sessionId = $sessionId;
$this->stayLoggedIn = true;
$this->csrfToken = $csrfToken ?? generateRandomString(16);
}
public static function create($user, $stayLoggedIn) {
$session = new Session($user, null);
$session = new Session($user, null, null);
if($session->insert($stayLoggedIn)) {
return $session;
}
@@ -85,6 +87,7 @@ class Session extends ApiObject {
'ipAddress' => $this->ipAddress,
'os' => $this->os,
'browser' => $this->browser,
'csrf_token' => $this->csrfToken
);
}
@@ -93,7 +96,7 @@ class Session extends ApiObject {
$sql = $this->user->getSQL();
$minutes = Session::DURATION;
$columns = array("expires", "user_id", "ipAddress", "os", "browser", "data", "stay_logged_in");
$columns = array("expires", "user_id", "ipAddress", "os", "browser", "data", "stay_logged_in", "csrf_token");
$success = $sql
->insert("Session", $columns)
@@ -104,7 +107,8 @@ class Session extends ApiObject {
$this->os,
$this->browser,
json_encode($_SESSION),
$stayLoggedIn)
$stayLoggedIn,
$this->csrfToken)
->returning("uid")
->execute();
@@ -135,8 +139,13 @@ class Session extends ApiObject {
->set("Session.os", $this->os)
->set("Session.browser", $this->browser)
->set("Session.data", json_encode($_SESSION))
->set("Session.csrf_token", $this->csrfToken)
->where(new Compare("Session.uid", $this->sessionId))
->where(new Compare("Session.user_id", $this->user->getId()))
->execute();
}
public function getCsrfToken(): string {
return $this->csrfToken;
}
}