SecurityToken
extends ArrayObject
in package
Uses
BackwardCompatibility
Represents a security token.
Extends \ArrayObject for backward compatibility purposes. Specifically, old code expected $_SESSION['token'][$whatever] to be an array with numeric keys, where the elements were in the order of variable name, hash, time, and value. By extending \ArrayObject and taking care in the constructor, we can maintain that behaviour when a SecurityToken object is handled like an array.
Table of Contents
Constants
- EXPIRY_TIME = 10800
- How long (in seconds) a token is good for.
Properties
- $hash : string
- $time : int
- $val : string
- $var : string
- $backcompat : array<string|int, mixed>
Methods
- __construct() : mixed
- Constructor.
- clean() : void
- Removes old, unused tokens from session.
- create() : array<string|int, mixed>
- Lets give you a token of our appreciation.
- exportStatic() : void
- Provides a way to export a class's public static properties and methods to global namespace.
- validate() : bool
- Only patrons with valid tokens can ride this ride.
- getHash() : string
- Gets the hash for a token.
Constants
EXPIRY_TIME
How long (in seconds) a token is good for.
public
mixed
EXPIRY_TIME
= 10800
Properties
$hash
public
string
$hash
The hashed value for the token.
$time
public
int
$time
The time when the token was created.
$val
public
string
$val
The token value.
$var
public
string
$var
The token variable name.
$backcompat
private
static array<string|int, mixed>
$backcompat
= ['func_names' => ['create' => 'createToken', 'validate' => 'validateToken', 'clean' => 'cleanTokens']]
BackwardCompatibility settings for this class.
Methods
__construct()
Constructor.
public
__construct() : mixed
clean()
Removes old, unused tokens from session.
public
static clean([bool $complete = false ]) : void
Defaults to 3 hours before a token is considered expired. If $complete = true, all tokens will be removed.
Parameters
- $complete : bool = false
-
Whether to remove all tokens or only expired ones.
create()
Lets give you a token of our appreciation.
public
static create(string $action[, string $type = 'post' ]) : array<string|int, mixed>
Sets $_SESSION['token'][$type . '-' . $action] to a new instance of this class.
Sets Utils::$context[$action . '_token_var'] to the the $var property of the token instance, and Utils::$context[$action . '_token'] to the $val property. Also returns that data as an array.
Parameters
- $action : string
-
The action to create the token for
- $type : string = 'post'
-
The type of token ('post', 'get' or 'request')
Return values
array<string|int, mixed> —An array containing the var and value of the token.
exportStatic()
Provides a way to export a class's public static properties and methods to global namespace.
public
static exportStatic() : void
To do so:
- Use this trait in the class.
- At the END of the class's file, call its exportStatic() method.
Although it might not seem that way at first glance, this approach conforms to section 2.3 of PSR 1, since executing this method is simply a dynamic means of declaring functions when the file is included; it has no other side effects.
Regarding the $backcompat items:
A class's static properties are not exported to global variables unless explicitly included in $backcompat['prop_names']. Likewise, a class's static methods are not exported as global functions unless explicitly included in $backcompat['func_names'].
$backcompat['prop_names'] is a simple array where the keys are the names of one or more of a class's static properties, and the values are the names of global variables. In each case, the global variable will be set to a reference to the static property. Static properties that are not named in this array will not be exported.
$backcompat['func_names'] is a simple array where the keys are the names of one or more of a class's static methods, and the values are the names that should be used for global functions that will encapsulate those methods. Methods that are not named in this array will not be exported.
Adding non-static properties or methods to the $backcompat arrays will produce runtime errors. It is the responsibility of the developer to make sure not to do this.
validate()
Only patrons with valid tokens can ride this ride.
public
static validate(string $action[, string $type = 'post' ][, bool $reset = true ]) : bool
Parameters
- $action : string
-
The action to validate the token for
- $type : string = 'post'
-
The type of request (get, request, or post)
- $reset : bool = true
-
Whether to reset the token and display an error if validation fails
Return values
bool —returns whether the validation was successful
getHash()
Gets the hash for a token.
protected
static getHash(string $val) : string
The generated hash depends on $val and the user's "session check" value, and the current user agent string. In other words, the token will be valid only for the current session and in the current browser.
Note that checking the user agent isn't a security measure, since user agents are not unique and are easy to spoof. Rather, it's simply a way to help prevent users from surprising themselves if they switch browsers or devices while using the same cookies and/or pasting URLs with the session ID in the URL parameters.
Parameters
- $val : string
-
The value for the token.
Return values
string —The hash.