Form tokens improved with a optional time check and one-time use

Crecket · Crecket · commit 9386296c48d6 · 2016-03-14T11:00:32.000+01:00
diff --git a/README.md b/README.md
@@ -29,6 +29,9 @@ Returns the decryped output as a string using [defuse/php-encryption](https://gi
 ### encrypt($input, $key = false)
 Encrypt a string, if no key is given one will be generated for you (Recommended) using [defuse/php-encryption](https://github.com/defuse/php-encryption)'s library.
 
+### getFormToken('form_token_id', $_POST['form_token'], $limit = false)
+Verify a form token for the given id. The $limit is optional andm ust be given in seconds, if the limit is 300 and the token is used after 300 seconds it will be considered invalid.
+
 ### password_hash($password)
 Hash the given password. This function allows for longer passwords and isn't affected by the null-byte issue.
 
@@ -47,8 +50,13 @@ Return a random key using [defuse/php-encryption](https://github.com/defuse/php-
 ### randomString($length)
 Returns a random string for the given length
 
-### pseudoBytes($length)
-Returns random bytes for the given length
+### setFormToken($id)
+Set a unique token in the session and returns it, can be used to verify post/get requests
 
 ### strlen($str)
 Returns the length of the given string using mb_strlen when available
+
+### pseudoBytes($length)
+Returns random bytes for the given length
+
+
diff --git a/src/SecureFuncs.php b/src/SecureFuncs.php
@@ -53,14 +53,28 @@ public static function encrypt($input, $key = false)
     /**
      * Checks if the given id and token match > If not the form has been sent twice or the ID is incorrect
      * @param $id
+     * @param $limit_time
      * @return md5hash
      */
-    public static function getFormToken($id, $token)
+    public static function getFormToken($id, $token, $limit_time = false)
     {
-        if (empty($_SESSION['formtoken'][$id])) {
-            return false;
+        $valid = false;
+        // Check if isset
+        if (!empty($_SESSION['formtoken'][$id]) && !empty($_SESSION['formtoken_time'][$id])) {
+            // Check if token is correct
+            if (md5($_SESSION['formtoken'][$id]) === $token) {
+                $valid = true;
+                // If time limit is set, check if isset
+                if ($limit_time !== false) {
+                    // if time < limit time return true/false
+                    if (empty($_SESSION['formtoken_time'][$id]) || $_SESSION['formtoken_time'][$id] < time() - $limit_time){
+                        $valid = false;
+                    }
+                }
+            }
         }
-        return md5($_SESSION['formtoken'][$id]) == $token;
+        unset($_SESSION['formtoken'][$id]);
+        return $valid;
     }
 
     /**
@@ -82,17 +96,6 @@ public static function password_verify($password, $hash)
         return password_verify(base64_encode(hash('sha256', $password, true)), $hash);
     }
 
-    /**
-     * Sets a new random token using the given id
-     * @param $id
-     * @return md5hash
-     */
-    public static function setFormToken($id)
-    {
-        $_SESSION['formtoken'][$id] = self::randomString(100);
-        return md5($_SESSION['formtoken'][$id]);
-    }
-
     /**
      * @param int $length
      * @return string
@@ -165,18 +168,15 @@ public static function randomString($length)
     }
 
     /**
-     * @param int $length
-     * @return string
-     * @throws \Exception
+     * Sets a new random token using the given id
+     * @param $id
+     * @return md5hash
      */
-    public static function pseudoBytes($length = 1)
+    public static function setFormToken($id)
     {
-        $bytes = \openssl_random_pseudo_bytes($length, $strong);
-        if ($strong === TRUE) {
-            return $bytes;
-        } else {
-            throw new \Exception ('Insecure server! (OpenSSL Random byte generation insecure.)');
-        }
+        $_SESSION['formtoken'][$id] = self::randomString(100);
+        $_SESSION['formtoken_time'][$id] = time();
+        return md5($_SESSION['formtoken'][$id]);
     }
 
     /**
@@ -197,4 +197,19 @@ public static function strlen($str)
         }
     }
 
+    /**
+     * @param int $length
+     * @return string
+     * @throws \Exception
+     */
+    public static function pseudoBytes($length = 1)
+    {
+        $bytes = \openssl_random_pseudo_bytes($length, $strong);
+        if ($strong === TRUE) {
+            return $bytes;
+        } else {
+            throw new \Exception ('Insecure server! (OpenSSL Random byte generation insecure.)');
+        }
+    }
+
 }
