Documentation

SecurityToken extends ArrayObject
in package

Represents a security token.

Extends \ArrayObject for backward compatibility purposes. Specifically, old code expected $_SESSION['token'][$whatever] to be an array with numeric keys, where the elements were in the order of variable name, hash, time, and value. By extending \ArrayObject and taking care in the constructor, we can maintain that behaviour when a SecurityToken object is handled like an array.

Table of Contents

Constants

EXPIRY_TIME  = 10800
How long (in seconds) a token is good for.

Properties

$hash  : string
$time  : int
$val  : string
$var  : string

Methods

__construct()  : mixed
Constructor.
clean()  : void
Removes old, unused tokens from session.
create()  : array<string|int, mixed>
Lets give you a token of our appreciation.
validate()  : bool
Only patrons with valid tokens can ride this ride.
getHash()  : string
Gets the hash for a token.

Constants

EXPIRY_TIME

How long (in seconds) a token is good for.

public mixed EXPIRY_TIME = 10800

Properties

Methods

clean()

Removes old, unused tokens from session.

public static clean([bool $complete = false ]) : void

Defaults to 3 hours before a token is considered expired. If $complete = true, all tokens will be removed.

Parameters
$complete : bool = false

Whether to remove all tokens or only expired ones.

create()

Lets give you a token of our appreciation.

public static create(string $action[, string $type = 'post' ]) : array<string|int, mixed>

Sets $_SESSION['token'][$type . '-' . $action] to a new instance of this class.

Sets Utils::$context[$action . '_token_var'] to the $var property of the token instance, and Utils::$context[$action . '_token'] to the $val property. Also returns that data as an array.

Parameters
$action : string

The action to create the token for

$type : string = 'post'

The type of token ('post', 'get' or 'request')

Return values
array<string|int, mixed>

An array containing the var and value of the token.

validate()

Only patrons with valid tokens can ride this ride.

public static validate(string $action[, string $type = 'post' ][, bool $reset = true ]) : bool
Parameters
$action : string

The action to validate the token for

$type : string = 'post'

The type of request (get, request, or post)

$reset : bool = true

Whether to reset the token and display an error if validation fails

Return values
bool

returns whether the validation was successful

getHash()

Gets the hash for a token.

protected static getHash(string $val) : string

The generated hash depends on $val and the user's "session check" value, and the current user agent string. In other words, the token will be valid only for the current session and in the current browser.

Note that checking the user agent isn't a security measure, since user agents are not unique and are easy to spoof. Rather, it's simply a way to help prevent users from surprising themselves if they switch browsers or devices while using the same cookies and/or pasting URLs with the session ID in the URL parameters.

Parameters
$val : string

The value for the token.

Return values
string

The hash.


        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results