Static Public Member Functions
static	generateToken ()
static	getStats ()
static	getToken ()
static	getTokenField ()
static	getTokenMeta ()
static	init ()
static	regenerateToken ()
static	validateOrDie ($removeAfterValidation=false)
static	validateRequest ($removeAfterValidation=false)
static	validateToken ($token, $removeAfterValidation=false)

Data Fields
const	MAX_TOKENS = 10
const	SESSION_KEY = 'bearsampp_csrf_tokens'
const	TOKEN_EXPIRATION = 7200

Static Private Member Functions
static	cleanupExpiredTokens ()
static	getAllHeaders ()

Detailed Description

Class Csrf

Provides CSRF (Cross-Site Request Forgery) protection for the Bearsampp application. This class handles token generation, validation, and management to prevent CSRF attacks.

Features:

Secure token generation using cryptographically secure random bytes
Session-based token storage
Token expiration (default: 2 hours)
Token regeneration for enhanced security
Automatic cleanup of expired tokens

Usage:

// Generate and get token for forms/AJAX
$token = Csrf::getToken();
 
// Validate token from request
if (!Csrf::validateToken($_POST['csrf_token'])) {
    die('CSRF validation failed');
}

Definition at line 34 of file class.csrf.php.

Member Function Documentation

◆ cleanupExpiredTokens()

cleanupExpiredTokens ( )

staticprivate

Removes expired tokens from the session.

Returns: int Number of tokens removed

Definition at line 252 of file class.csrf.php.

    {
        if (!isset($_SESSION[self::SESSION_KEY])) {
            return 0;
        }
 
        $removed = 0;
        $currentTime = time();
 
        foreach ($_SESSION[self::SESSION_KEY] as $token => $timestamp) {
            if ($currentTime - $timestamp > self::TOKEN_EXPIRATION) {
                unset($_SESSION[self::SESSION_KEY][$token]);
                $removed++;
            }
        }
 
        if ($removed > 0) {
            Util::logDebug("Cleaned up $removed expired CSRF tokens");
        }
 
        return $removed;
    }

References Util\logDebug().

Referenced by init().

◆ generateToken()

generateToken ( )

static

Generates a new CSRF token and stores it in the session.

Returns: string The generated CSRF token

Exceptions

Exception If random_bytes() fails

Definition at line 80 of file class.csrf.php.

    {
        self::init();
 
        try {
            // Generate cryptographically secure random token
            $token = bin2hex(random_bytes(32));
        } catch (Exception $e) {
            Util::logError('Failed to generate CSRF token: ' . $e->getMessage());
            // Fallback to less secure but functional method
            $token = hash('sha256', uniqid('bearsampp_csrf_', true) . microtime(true));
        }
 
        // Store token with timestamp
        $_SESSION[self::SESSION_KEY][$token] = time();
 
        // Limit number of stored tokens
        if (count($_SESSION[self::SESSION_KEY]) > self::MAX_TOKENS) {
            // Remove oldest token
            $oldestToken = array_key_first($_SESSION[self::SESSION_KEY]);
            unset($_SESSION[self::SESSION_KEY][$oldestToken]);
        }
 
        // Log token generation without exposing token material
        Util::logDebug('CSRF token generated successfully');
 
        return $token;
    }

References init(), Util\logDebug(), and Util\logError().

Referenced by getToken(), and regenerateToken().

◆ getAllHeaders()

getAllHeaders ( )

staticprivate

Gets all HTTP headers in a cross-compatible way. Works with both Apache and FastCGI/CGI environments.

Returns: array Associative array of headers

Definition at line 218 of file class.csrf.php.

    {
        // Use getallheaders() if available (Apache)
        if (function_exists('getallheaders')) {
            $headers = getallheaders();
            if ($headers !== false) {
                return $headers;
            }
        }
 
        // Fallback for FastCGI/CGI environments
        $headers = [];
        foreach ($_SERVER as $key => $value) {
            // Extract HTTP headers from $_SERVER
            if (substr($key, 0, 5) === 'HTTP_') {
                // Convert HTTP_X_CSRF_TOKEN to X-Csrf-Token
                $headerName = str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($key, 5)))));
                $headers[$headerName] = $value;
            }
            // Handle CONTENT_TYPE and CONTENT_LENGTH specially
            elseif (in_array($key, ['CONTENT_TYPE', 'CONTENT_LENGTH'])) {
                $headerName = str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', $key))));
                $headers[$headerName] = $value;
            }
        }
 
        return $headers;
    }

Referenced by validateRequest().

◆ getStats()

getStats ( )

static

Gets statistics about current CSRF tokens. Useful for debugging and monitoring.

Returns: array Statistics about tokens

Definition at line 341 of file class.csrf.php.

    {
        self::init();
 
        $tokens = $_SESSION[self::SESSION_KEY] ?? [];
        $currentTime = time();
        $expired = 0;
        $valid = 0;
 
        foreach ($tokens as $timestamp) {
            if ($currentTime - $timestamp > self::TOKEN_EXPIRATION) {
                $expired++;
            } else {
                $valid++;
            }
        }
 
        return [
            'total' => count($tokens),
            'valid' => $valid,
            'expired' => $expired,
            'max_tokens' => self::MAX_TOKENS,
            'expiration_seconds' => self::TOKEN_EXPIRATION
        ];
    }

References init().

◆ getToken()

getToken ( )

static

Gets the current CSRF token, generating a new one if none exists.

Returns: string The CSRF token

Definition at line 114 of file class.csrf.php.

    {
        self::init();
 
        // If no tokens exist, generate one
        if (empty($_SESSION[self::SESSION_KEY])) {
            return self::generateToken();
        }
 
        // Return the most recent token
        $tokens = $_SESSION[self::SESSION_KEY];
        end($tokens);
        $latestToken = key($tokens);
 
        // Check if latest token is expired
        if (time() - $tokens[$latestToken] > self::TOKEN_EXPIRATION) {
            // Generate new token if expired
            return self::generateToken();
        }
 
        return $latestToken;
    }

References generateToken(), and init().

Referenced by getTokenField(), and getTokenMeta().

◆ getTokenField()

getTokenField ( )

static

Gets the token as a hidden input field for forms.

Returns: string HTML hidden input field

Definition at line 297 of file class.csrf.php.

    {
        $token = self::getToken();
        return '<input type="hidden" name="csrf_token" value="' . htmlspecialchars($token, ENT_QUOTES, 'UTF-8') . '">';
    }

References getToken().

◆ getTokenMeta()

getTokenMeta ( )

static

Gets the token as a meta tag for inclusion in HTML head. Useful for AJAX requests.

Returns: string HTML meta tag

Definition at line 309 of file class.csrf.php.

    {
        $token = self::getToken();
        return '<meta name="csrf-token" content="' . htmlspecialchars($token, ENT_QUOTES, 'UTF-8') . '">';
    }

References getToken().

◆ init()

init ( )

static

Initializes the CSRF protection system. Starts the session if not already started and cleans up expired tokens.

Returns: void

Definition at line 58 of file class.csrf.php.

    {
        // Start session if not already started
        if (session_status() === PHP_SESSION_NONE) {
            session_start();
        }
 
        // Initialize token storage if not exists
        if (!isset($_SESSION[self::SESSION_KEY])) {
            $_SESSION[self::SESSION_KEY] = [];
        }
 
        // Clean up expired tokens
        self::cleanupExpiredTokens();
    }

References cleanupExpiredTokens().

Referenced by generateToken(), getStats(), getToken(), regenerateToken(), and validateToken().

◆ regenerateToken()

regenerateToken ( )

static

Regenerates the CSRF token. Useful after sensitive operations or login.

Returns: string The new CSRF token

Definition at line 281 of file class.csrf.php.

    {
        self::init();
 
        // Clear all existing tokens
        $_SESSION[self::SESSION_KEY] = [];
 
        // Generate new token
        return self::generateToken();
    }

References generateToken(), and init().

◆ validateOrDie()

validateOrDie ( $removeAfterValidation = false )

static

Validates request and sends JSON error response if validation fails. This is a convenience method for AJAX endpoints.

Parameters

bool $removeAfterValidation Whether to remove the token after successful validation

Returns: void Exits with JSON error if validation fails

Definition at line 322 of file class.csrf.php.

    {
        if (!self::validateRequest($removeAfterValidation)) {
            http_response_code(403);
            header('Content-Type: application/json');
            echo json_encode([
                'error' => 'CSRF validation failed',
                'message' => 'Invalid or expired security token. Please refresh the page and try again.'
            ]);
            exit;
        }
    }

References exit.

◆ validateRequest()

validateRequest ( $removeAfterValidation = false )

static

Validates a CSRF token from the request (POST or GET). Checks $_POST['csrf_token'] first, then $_GET['csrf_token'], then headers.

Parameters

bool $removeAfterValidation Whether to remove the token after successful validation

Returns: bool True if token is valid, false otherwise

Definition at line 186 of file class.csrf.php.

    {
        // Check POST first (most common for AJAX)
        if (isset($_POST['csrf_token'])) {
            return self::validateToken($_POST['csrf_token'], $removeAfterValidation);
        }
 
        // Check GET as fallback
        if (isset($_GET['csrf_token'])) {
            return self::validateToken($_GET['csrf_token'], $removeAfterValidation);
        }
 
        // Check custom header (for AJAX requests)
        $headers = self::getAllHeaders();
 
        // Check for X-CSRF-Token header (case-insensitive)
        foreach ($headers as $key => $value) {
            if (strtolower($key) === 'x-csrf-token') {
                return self::validateToken($value, $removeAfterValidation);
            }
        }
 
        Util::logWarning('CSRF validation failed: No token in request');
        return false;
    }

References getAllHeaders(), Util\logWarning(), and validateToken().

◆ validateToken()

validateToken	(		$token,
			$removeAfterValidation = false )

static

Validates a CSRF token.

Parameters

string \| null	$token	The token to validate
bool	$removeAfterValidation	Whether to remove the token after successful validation (one-time use)

Returns: bool True if token is valid, false otherwise

Definition at line 144 of file class.csrf.php.

    {
        self::init();
 
        // Check if token is provided
        if (empty($token) || !is_string($token)) {
            Util::logWarning('CSRF validation failed: No token provided');
            return false;
        }
 
        // Check if token exists in session
        if (!isset($_SESSION[self::SESSION_KEY][$token])) {
            Util::logWarning('CSRF validation failed: Token not found in session');
            return false;
        }
 
        // Check if token is expired
        $tokenTimestamp = $_SESSION[self::SESSION_KEY][$token];
        if (time() - $tokenTimestamp > self::TOKEN_EXPIRATION) {
            Util::logWarning('CSRF validation failed: Token expired');
            unset($_SESSION[self::SESSION_KEY][$token]);
            return false;
        }
 
        // Token is valid
        Util::logDebug('CSRF token validated successfully');
 
        // Remove token if one-time use is requested
        if ($removeAfterValidation) {
            unset($_SESSION[self::SESSION_KEY][$token]);
        }
 
        return true;
    }

References init(), Util\logDebug(), and Util\logWarning().

Referenced by validateRequest().

Field Documentation

◆ MAX_TOKENS

const MAX_TOKENS = 10

Maximum number of tokens to store per session This prevents session bloat from token accumulation

Definition at line 50 of file class.csrf.php.

◆ SESSION_KEY

const SESSION_KEY = 'bearsampp_csrf_tokens'

Session key for storing CSRF tokens

Definition at line 39 of file class.csrf.php.

◆ TOKEN_EXPIRATION

const TOKEN_EXPIRATION = 7200

Token expiration time in seconds (default: 2 hours)

Definition at line 44 of file class.csrf.php.

The documentation for this class was generated from the following file:

E:/Bearsampp-development/sandbox/core/classes/class.csrf.php

Static Public Member Functions

Data Fields

Static Private Member Functions

Detailed Description

Member Function Documentation

◆ cleanupExpiredTokens()

◆ generateToken()

◆ getAllHeaders()

◆ getStats()

◆ getToken()

◆ getTokenField()

◆ getTokenMeta()

◆ init()

◆ regenerateToken()

◆ validateOrDie()

◆ validateRequest()

◆ validateToken()

Field Documentation

◆ MAX_TOKENS

◆ SESSION_KEY

◆ TOKEN_EXPIRATION