Destroy session when CSRF check fails.

ziadoz · ziadoz · commit 1a805c4247cd · 2012-09-10T12:40:44.000-06:00
Rails does this I believe. It's more graceful than just halting the application.
I also simplified the code and tweaked exception error messages.
diff --git a/Middleware/CsrfGuard.php b/Middleware/CsrfGuard.php
@@ -1,85 +1,74 @@
 <?php
 namespace Slim\Extras\Middleware;
 
-/**
- * CsrfGuard
- *
- * This middleware provides protection from CSRF attacks
- * USAGE
- *
- * // Adding middleware
- * $app = new Slim();
- * $app->add(new CsrfGuard());
- *
- * // Setting token in view
- * <input type="hidden" name="<?=$csrf_key?>" value="<?=$csrf_token?>">
- *
- * @author Mikhail Osher, https://github.com/miraage
- * @version 1.0
- */
 class CsrfGuard extends \Slim\Middleware
 {
     /**
-     * Request key
-     *
-     * @var string
-     */
-    protected $key;
+	 * CSRF token key.
+	 *
+	 * @var string
+	 */
+	protected $key;
 
-    /**
-     * Constructor
-     *
-     * @param string $key Request key
-     */
-    public function __construct($key = 'csrf_token')
-    {
-        // Validate key (i won't use htmlspecialchars)
-        if (!is_string($key) || empty($key) || preg_match('/[^a-zA-Z0-9\-\_]/', $key)) {
-            throw new OutOfBoundsException('Invalid key' . $key);
-        }
+	/**
+	 * Constructor.
+	 *
+	 * @param string $key CSRF token key.
+	 * @return void
+	 */
+	public function __construct($key = 'csrf_token') 
+	{
+		if (! is_string($key) || empty($key) || preg_match('/[^a-zA-Z0-9\-\_]/', $key)) {
+			throw new \OutOfBoundsException('Invalid CSRF token key "' . $key . '"');
+		}
 
-        $this->key = $key;
-    }
+		$this->key = $key;
+	}
 
-    /**
-     * Call middleware
-     */
-    public function call()
-    {
-        // Attach as hook
-        $this->app->hook('slim.before', array($this, 'check'));
+	/**
+	 * Call middleware.
+	 *
+	 * @return void
+	 */
+	public function call() 
+	{
+		// Attach as hook.
+		$this->app->hook('slim.before', array($this, 'check'));
 
-        // Call next middleware
-        $this->next->call();
-    }
+		// Call next middleware.
+		$this->next->call();
+	}
 
-    /**
-     * Check token
-     */
-    public function check()
-    {
-        // Create token
-        if (session_id() !== "") {
-            if (!isset($_SESSION[$this->key])) {
-                $_SESSION[$this->key] = sha1(serialize($_SERVER) . rand(0, 0xffffffff));
-            }
-        } else {
-            throw new Exception( "Session are required to use CSRF Guard" );
-        }
-        $token = $_SESSION[$this->key];
+	/**
+	 * Check CSRF token is valid.
+	 * Note: Also checks POST data to see if a Moneris RVAR CSRF token exists.
+	 *
+	 * @return void
+	 */
+	public function check() {
+		// Check sessions are enabled.
+		if (session_id() === '') {
+			throw new \Exception('Sessions are required to use the CSRF Guard middleware.');
+		}
+
+		if (! isset($_SESSION[$this->key])) {
+			$_SESSION[$this->key] = sha1(serialize($_SERVER) . rand(0, 0xffffffff));
+		}
+
+		$token = $_SESSION[$this->key];
 
-        // Validate
-        if (in_array($this->app->request()->getMethod(), array('POST', 'PUT', 'DELETE'))) {
-            $usertoken = $this->app->request()->post($this->key);
-            if ($token !== $usertoken) {
-                $this->app->halt(400, 'Missing token');
+		// Validate the CSRF token.
+		if (in_array($this->app->request()->getMethod(), array('POST', 'PUT', 'DELETE'))) {
+            $userToken = $this->app->request()->post($this->key);
+            if ($token !== $userToken) {
+                session_destroy();
             }
-        }
+		}
 
-        // Assign to view
-        $this->app->view()->appendData(array(
-            'csrf_key' => $this->key,
-            'csrf_token' => $token,
-        ));
-    }
-}
+		// Assign CSRF token key and value to view.
+		$this->app->view()->appendData(array(
+			'csrf_key' 		=> $this->key,
+			'csrf_token' 	=> $token,
+		));
+	}
+}
