Modules

  1. Kohana
    2. Debug
    3. HTTP_Cache
    4. I18n
    5. Kohana
    6. Kohana_Config_Writer
    7. Request
    8. Request_Client
    9. Request_Client_Curl
    10. Request_Client_External
    11. Request_Client_HTTP
    12. Request_Client_Internal
    13. Request_Client_Stream
    14. Response
    15. Route
    16. UTF8
    17. View
    18. Configuration
      1. Config
      2. Config_File
      3. Config_Group
      4. Kohana_Config_File_Reader
      5. Kohana_Config_Reader
      6. Kohana_Config_Source
    19. Controller
      1. Controller
      2. Controller_Template
      3. Controller_Welcome
    20. Exceptions
      1. HTTP_Exception
      2. HTTP_Exception_300
      3. HTTP_Exception_301
      4. HTTP_Exception_302
      5. HTTP_Exception_303
      6. HTTP_Exception_304
      7. HTTP_Exception_305
      8. HTTP_Exception_307
      9. HTTP_Exception_400
      10. HTTP_Exception_401
      11. HTTP_Exception_402
      12. HTTP_Exception_403
      13. HTTP_Exception_404
      14. HTTP_Exception_405
      15. HTTP_Exception_406
      16. HTTP_Exception_407
      17. HTTP_Exception_408
      18. HTTP_Exception_409
      19. HTTP_Exception_410
      20. HTTP_Exception_411
      21. HTTP_Exception_412
      22. HTTP_Exception_413
      23. HTTP_Exception_414
      24. HTTP_Exception_415
      25. HTTP_Exception_416
      26. HTTP_Exception_417
      27. HTTP_Exception_500
      28. HTTP_Exception_501
      29. HTTP_Exception_502
      30. HTTP_Exception_503
      31. HTTP_Exception_504
      32. HTTP_Exception_505
      33. HTTP_Exception_Expected
      34. HTTP_Exception_Redirect
      35. Kohana_Exception
      36. Request_Client_Recursion_Exception
      37. Request_Exception
      38. Session_Exception
      39. UTF8_Exception
      40. Validation_Exception
      41. View_Exception
    21. HTTP
      1. HTTP
      2. HTTP_Header
      3. HTTP_Message
      4. HTTP_Request
      5. HTTP_Response
    22. Helpers
      1. Arr
      2. Cookie
      3. Date
      4. Feed
      5. File
      6. Form
      7. Fragment
      8. HTML
      9. Inflector
      10. Num
      11. Profiler
      12. Task_Help
      13. Text
      14. URL
      15. Upload
    23. Logging
      1. Log
      2. Log_File
      3. Log_StdErr
      4. Log_StdOut
      5. Log_Syslog
      6. Log_Writer
    24. Minion
      1. Minion_Exception
      2. Minion_Exception_InvalidTask
    25. Models
      1. Model
    26. Security
      1. Encrypt
      2. Encrypt_Mcrypt
      3. Encrypt_Openssl
      4. Security
      5. Valid
      6. Validation
    27. Session
      1. Session
      2. Session_Cookie
      3. Session_Native
  2. Kohana/Auth
    2. Auth
    3. Auth_File
    4. Auth_ORM
    5. Model_Auth_Role
    6. Model_Auth_User
    7. Model_Auth_User_Token
    8. Model_Role
    9. Model_User
    10. Model_User_Token
  3. Kohana/Cache
    2. Cache
    3. Cache_Apc
    4. Cache_Apcu
    5. Cache_Arithmetic
    6. Cache_Exception
    7. Cache_File
    8. Cache_GarbageCollect
    9. Cache_Memcache
    10. Cache_MemcacheTag
    11. Cache_Memcached
    12. Cache_Sqlite
    13. Cache_Tagging
    14. Cache_Wincache
  4. Kohana/Codebench
    2. Codebench
    3. Controllers
      1. Controller_Codebench
    4. Tests
      1. Bench_ArrCallback
      2. Bench_AutoLinkEmails
      3. Bench_DateSpan
      4. Bench_ExplodeLimit
      5. Bench_GruberURL
      6. Bench_LtrimDigits
      7. Bench_MDDoBaseURL
      8. Bench_MDDoImageURL
      9. Bench_MDDoIncludeViews
      10. Bench_StripNullBytes
      11. Bench_Transliterate
      12. Bench_URLSite
      13. Bench_UserFuncArray
      14. Bench_ValidColor
      15. Bench_ValidURL
  5. Kohana/Database
    2. DB
    3. Database
    4. Database_Expression
    5. Configuration
      1. Config_Database
      2. Config_Database_Reader
      3. Config_Database_Writer
    6. Drivers
      1. Database_MySQLi
      2. Database_PDO
    7. Exceptions
      1. Database_Exception
    8. Models
      1. Model_Database
    9. Query
      1. Database_Query
      2. Database_Query_Builder
      3. Database_Query_Builder_Delete
      4. Database_Query_Builder_Insert
      5. Database_Query_Builder_Join
      6. Database_Query_Builder_Select
      7. Database_Query_Builder_Update
      8. Database_Query_Builder_Where
    10. Query/Result
      1. Database_MySQLi_Result
      2. Database_Result
      3. Database_Result_Cached
    11. Session
      1. Session_Database
  6. Kohana/Image
    2. Image
    3. Drivers
      1. Image_GD
      2. Image_Imagick
  7. Kohana/ORM
    2. ORM
    3. ORM_Validation_Exception
  8. Kohana/UnitTest
    2. Unittest_Database_TestCase
    3. Unittest_Tests
  9. Kohana/Userguide
    2. Kodoc
    3. Kodoc_Class
    4. Kodoc_Markdown
    5. Kodoc_Method
    6. Kodoc_Method_Param
    7. Kodoc_Property
    8. Controller
      1. Controller_Userguide
    9. Undocumented
      1. Kodoc_Missing
  10. [Unknown]
    2. Minion_CLI
    3. Minion_Task
    4. Unittest_Helpers
    5. Unittest_TestCase
    6. Unittest_TestSuite

Security
extends Kohana_Security

Security helper class.

package
Kohana
category
Security
author
Kohana Team
copyright
© 2007-2012 Kohana Team
license
https://kohana.top/license

Class declared in SYSPATH/classes/Security.php on line 3.

Constants

  • None

Properties

Methods

Properties

public static string $token_name

key name used for token storage

string(14) "security_token"

Methods

public static check( string $token ) (defined in Kohana_Security)

Check that the given token matches the currently stored security token.

?
if (Security::check($token))
{
    // Pass
}

Parameters

  • string $token required - Token to check

Tags

Return Values

  • boolean

Source Code

?
public static function check($token)
{
    return Security::slow_equals(Security::token(), $token);
}

public static encode_php_tags( string $str ) (defined in Kohana_Security)

Encodes PHP tags in a string.

?
$str = Security::encode_php_tags($str);

Parameters

  • string $str required - String to sanitize

Return Values

  • string

Source Code

?
public static function encode_php_tags($str)
{
    return str_replace(['<?', '?>'], ['&lt;?', '?&gt;'], $str);
}

public static slow_equals( string $a , string $b ) (defined in Kohana_Security)

Compare two hashes in a time-invariant manner. Prevents cryptographic side-channel attacks (timing attacks, specifically)

Parameters

  • string $a required - Cryptographic hash
  • string $b required - Cryptographic hash

Return Values

  • boolean

Source Code

?
public static function slow_equals($a, $b)
{
    $diff = strlen($a) ^ strlen($b);
    for ($i = 0; $i < strlen($a) AND $i < strlen($b); $i++) {
        $diff |= ord($a[$i]) ^ ord($b[$i]);
    }
    return $diff === 0;
}

public static token( [ boolean $new = bool FALSE ] ) (defined in Kohana_Security)

Generate and store a unique token which can be used to help prevent CSRF attacks.

?
$token = Security::token();

You can insert this token into your forms as a hidden field:

?
echo Form::hidden('csrf', Security::token());

And then check it when using Validation:

?
$array->rules('csrf', [
    ['not_empty'],
    ['Security::check'],
]);

This provides a basic, but effective, method of preventing CSRF attacks.

Parameters

  • boolean $new = bool FALSE - Force a new token to be generated?

Tags

Return Values

  • string

Source Code

?
public static function token($new = false)
{
    $session = Session::instance();
 
    // Get the current token
    $token = $session->get(Security::$token_name);
 
    if ($new === true OR ! $token) {
        // Generate a new unique token
        if (function_exists('openssl_random_pseudo_bytes')) {
            // Generate a random pseudo bytes token if openssl_random_pseudo_bytes is available
            // This is more secure than uniqid, because uniqid relies on microtime, which is predictable
            $token = base64_encode(openssl_random_pseudo_bytes(32));
        } else {
            // Otherwise, fall back to a hashed uniqid
            $token = sha1(uniqid(null, true));
        }
 
        // Store the new token
        $session->set(Security::$token_name, $token);
    }
 
    return $token;
}