3 * MediaWiki session token
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 * http://www.gnu.org/copyleft/gpl.html
24 namespace MediaWiki\Session
;
27 * Value object representing a CSRF token
33 /** CSRF token suffix. Plus and terminal backslash are included to stop
34 * editing from certain broken proxies. */
47 * @param string $secret Token secret
48 * @param string $salt Token salt
49 * @param bool $new Whether the secret was newly-created
51 public function __construct( $secret, $salt, $new = false ) {
52 $this->secret
= $secret;
58 * Decode the timestamp from a token string
60 * Does not validate the token beyond the syntactic checks necessary to
61 * be able to extract the timestamp.
63 * @param string $token
66 public static function getTimestamp( $token ) {
67 $suffixLen = strlen( self
::SUFFIX
);
68 $len = strlen( $token );
69 if ( $len <= 32 +
$suffixLen ||
70 substr( $token, -$suffixLen ) !== self
::SUFFIX ||
71 strspn( $token, '0123456789abcdef' ) +
$suffixLen !== $len
76 return hexdec( substr( $token, 32, -$suffixLen ) );
80 * Get the string representation of the token at a timestamp
81 * @param int $timestamp
84 protected function toStringAtTimestamp( $timestamp ) {
85 return hash_hmac( 'md5', $timestamp . $this->salt
, $this->secret
, false ) .
86 dechex( $timestamp ) .
91 * Get the string representation of the token
94 public function toString() {
95 return $this->toStringAtTimestamp( wfTimestamp() );
98 public function __toString() {
99 return $this->toString();
103 * Test if the token-string matches this token
104 * @param string $userToken
105 * @param int|null $maxAge Return false if $userToken is older than this many seconds
108 public function match( $userToken, $maxAge = null ) {
109 $timestamp = self
::getTimestamp( $userToken );
110 if ( $timestamp === null ) {
113 if ( $maxAge !== null && $timestamp < wfTimestamp() - $maxAge ) {
118 $sessionToken = $this->toStringAtTimestamp( $timestamp );
119 return hash_equals( $sessionToken, $userToken );
123 * Indicate whether this token was just created
126 public function wasNew() {