Modules

Kohana_Security

This class is a transparent base class for Security and should not be accessed directly.

Security helper class.

package
Kohana
category
Security
author
Kohana Team
copyright
© 2007-2012 Kohana Team
license
https://kohana.top/license

Class declared in SYSPATH/classes/Kohana/Security.php on line 12.

Constants

  • None

Properties

Properties

public static string $token_name

key name used for token storage

string(14) "security_token"

Methods

public static check( string $token ) (defined in Kohana_Security)

Check that the given token matches the currently stored security token.

if (Security::check($token))
{
    // Pass
}

Parameters

  • string $token required - Token to check

Tags

Return Values

  • boolean

Source Code

public static function check($token)
{
    return Security::slow_equals(Security::token(), $token);
}

public static encode_php_tags( string $str ) (defined in Kohana_Security)

Encodes PHP tags in a string.

$str = Security::encode_php_tags($str);

Parameters

  • string $str required - String to sanitize

Return Values

  • string

Source Code

public static function encode_php_tags($str)
{
    return str_replace(['<?', '?>'], ['&lt;?', '?&gt;'], $str);
}

public static slow_equals( string $a , string $b ) (defined in Kohana_Security)

Compare two hashes in a time-invariant manner. Prevents cryptographic side-channel attacks (timing attacks, specifically)

Parameters

  • string $a required - Cryptographic hash
  • string $b required - Cryptographic hash

Return Values

  • boolean

Source Code

public static function slow_equals($a, $b)
{
    $diff = strlen($a) ^ strlen($b);
    for ($i = 0; $i < strlen($a) AND $i < strlen($b); $i++) {
        $diff |= ord($a[$i]) ^ ord($b[$i]);
    }
    return $diff === 0;
}

public static token( [ boolean $new = bool FALSE ] ) (defined in Kohana_Security)

Generate and store a unique token which can be used to help prevent CSRF attacks.

$token = Security::token();

You can insert this token into your forms as a hidden field:

echo Form::hidden('csrf', Security::token());

And then check it when using Validation:

$array->rules('csrf', [
    ['not_empty'],
    ['Security::check'],
]);

This provides a basic, but effective, method of preventing CSRF attacks.

Parameters

  • boolean $new = bool FALSE - Force a new token to be generated?

Tags

Return Values

  • string

Source Code

public static function token($new = false)
{
    $session = Session::instance();

    // Get the current token
    $token = $session->get(Security::$token_name);

    if ($new === true OR ! $token) {
        // Generate a new unique token
        if (function_exists('openssl_random_pseudo_bytes')) {
            // Generate a random pseudo bytes token if openssl_random_pseudo_bytes is available
            // This is more secure than uniqid, because uniqid relies on microtime, which is predictable
            $token = base64_encode(openssl_random_pseudo_bytes(32));
        } else {
            // Otherwise, fall back to a hashed uniqid
            $token = sha1(uniqid(null, true));
        }

        // Store the new token
        $session->set(Security::$token_name, $token);
    }

    return $token;
}