Skip to content

Commit 04b319d

Browse files
author
Greg Bowler
committed
feature: set csrf token length
for #389
1 parent 09e37bf commit 04b319d

File tree

2 files changed

+14
-3
lines changed

2 files changed

+14
-3
lines changed

config.default.ini

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,3 +52,5 @@ query_path=query
5252
csrf_header=X-CSRF
5353
;csrf_ignore_path=/test-csrf-ignore,/test/*/wildcard/,/another-test-ignore
5454
csrf_ignore_path=
55+
csrf_max_tokens=100
56+
csrf_token_length=10

src/Middleware/RequestHandler.php

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -197,13 +197,14 @@ public function handle(
197197
$serviceContainer->set($session);
198198

199199
$session = $serviceContainer->get(Session::class);
200-
$csrfTokenStore = new SessionTokenStore(
201-
$session->getStore("webengine.csrf", true)
202-
);
203200

204201
$shouldVerifyCsrf = true;
205202
$ignoredPathArray = explode(",", $this->config->getString("security.csrf_ignore_path") ?? "");
206203
foreach($ignoredPathArray as $ignoredPath) {
204+
if(empty($ignoredPath)) {
205+
continue;
206+
}
207+
207208
if(str_contains($ignoredPath, "*")) {
208209
$pattern = strtr(rtrim($ignoredPath, "/"), [
209210
"*" => ".*",
@@ -220,6 +221,14 @@ public function handle(
220221
}
221222

222223
if($shouldVerifyCsrf) {
224+
$csrfTokenStore = new SessionTokenStore(
225+
$session->getStore("webengine.csrf", true),
226+
$this->config->getInt("security.csrf_max_tokens")
227+
);
228+
$csrfTokenStore->setTokenLength(
229+
$this->config->getInt("security.csrf_token_length")
230+
);
231+
223232
if($request->getMethod() === "POST") {
224233
$csrfTokenStore->verify($_POST);
225234
}

0 commit comments

Comments
 (0)