Safely generate random HMAC keys for CSRF tokens

author: nashe <thomas@chauchefoin.fr> 2018-01-02 19:35:48 +0100
committer: nashe <thomas@chauchefoin.fr> 2018-01-02 19:35:48 +0100
commit: 7d9e7183cbc189c356a9bff5d640706959eca1ee (patch)
tree: b9a4a509fa0097ce1630afb2f5f96643c9d99ec4
parent: 17665eafb7e271198e6d11d57aae3593664dac58 (diff)
download: planet-7d9e7183cbc189c356a9bff5d640706959eca1ee.tar
planet-7d9e7183cbc189c356a9bff5d640706959eca1ee.tar.gz
planet-7d9e7183cbc189c356a9bff5d640706959eca1ee.tar.bz2
planet-7d9e7183cbc189c356a9bff5d640706959eca1ee.tar.xz
planet-7d9e7183cbc189c356a9bff5d640706959eca1ee.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/app/classes/CSRF.php b/app/classes/CSRF.php
index 3e23380..639f573 100644
--- a/app/classes/CSRF.php
+++ b/app/classes/CSRF.php
@@ -5,6 +5,9 @@ class CSRF
     /** @var string */
     const HMAC_ALGORITHM = 'sha1';
 
+    /** @var string */
+    const SESSION_KEY_NAME = '_csrf_key';
+
     /**
      * Ensure that a CSRF token is valid for a given action.
      *
@@ -44,6 +47,9 @@ class CSRF
      */
     public static function getKey()
     {
-        return session_id();
+        if (empty($_SESSION[self::SESSION_KEY_NAME])) {
+            $_SESSION[self::SESSION_KEY_NAME] = random_bytes(16);
+        }
+        return $_SESSION[self::SESSION_KEY_NAME];
     }
 }
author	nashe <thomas@chauchefoin.fr>	2018-01-02 19:35:48 +0100
committer	nashe <thomas@chauchefoin.fr>	2018-01-02 19:35:48 +0100
commit	7d9e7183cbc189c356a9bff5d640706959eca1ee (patch)
tree	b9a4a509fa0097ce1630afb2f5f96643c9d99ec4
parent	17665eafb7e271198e6d11d57aae3593664dac58 (diff)
download	planet-7d9e7183cbc189c356a9bff5d640706959eca1ee.tar planet-7d9e7183cbc189c356a9bff5d640706959eca1ee.tar.gz planet-7d9e7183cbc189c356a9bff5d640706959eca1ee.tar.bz2 planet-7d9e7183cbc189c356a9bff5d640706959eca1ee.tar.xz planet-7d9e7183cbc189c356a9bff5d640706959eca1ee.zip