CSRF token stored in _SESSION #24

Author: mateusza

Middleware/CsrfGuard.php

@@ -56,7 +56,15 @@ public function call() {
     public function check() {
         // Create token
         $env = $this->app->environment();
-        $token = sha1($env['REMOTE_ADDR'] . '|' . $env['USER_AGENT']);
+
+        if ( PHP_SESSION_ACTIVE === session_status() ){
+            if ( ! isset( $_SESSION[ $this->key ] ) ){
+                $_SESSION[ $this->key ] = sha1( serialize( $_SERVER ) . rand( 0, 0xffffffff ) );
+            }
+        } else {
+            throw new Exception( "Session are required to use CSRF Guard" );
+        }
+        $token = $_SESSION[ $this -> key ];
 
         // Validate
         if ( in_array($this->app->request()->getMethod(), array('POST', 'PUT', 'DELETE')) ) {
@@ -74,4 +82,4 @@ public function check() {
     }
 }
 
-?>
+?>