* false: Force NOT setting the secure attribute when setting the cookie
* null (default): Use the default ($wgCookieSecure) to set the secure attribute
* @param array $params Array of options sent passed to WebResponse::setcookie()
+ * @param WebRequest|null $request WebRequest object to use; $wgRequest will be used if null
+ * is passed.
*/
- protected function setCookie( $name, $value, $exp = 0, $secure = null, $params = array() ) {
+ protected function setCookie( $name, $value, $exp = 0, $secure = null, $params = array(), $request = null ) {
+ if ( $request === null ) {
+ $request = $this->getRequest();
+ }
$params['secure'] = $secure;
- $this->getRequest()->response()->setcookie( $name, $value, $exp, $params );
+ $request->response()->setcookie( $name, $value, $exp, $params );
}
/**
if ( $value === false ) {
$this->clearCookie( $name );
} else {
- $this->setCookie( $name, $value, 0, $secure );
+ $this->setCookie( $name, $value, 0, $secure, array(), $request );
}
}
return MWCryptRand::generateHex( 32 );
}
+ /**
+ * Get the embedded timestamp from a token.
+ * @param string $val Input token
+ * @return int|null
+ */
+ public static function getEditTokenTimestamp( $val ) {
+ $suffixLen = strlen( self::EDIT_TOKEN_SUFFIX );
+ if ( strlen( $val ) <= 32 + $suffixLen ) {
+ return null;
+ }
+
+ return hexdec( substr( $val, 32, -$suffixLen ) );
+ }
+
/**
* Check given value against the token value stored in the session.
* A match should confirm that the form was submitted from the
return $val === self::EDIT_TOKEN_SUFFIX;
}
- $suffixLen = strlen( self::EDIT_TOKEN_SUFFIX );
- if ( strlen( $val ) <= 32 + $suffixLen ) {
+ $timestamp = self::getEditTokenTimestamp( $val );
+ if ( $timestamp === null ) {
return false;
}
-
- $timestamp = hexdec( substr( $val, 32, -$suffixLen ) );
if ( $maxage !== null && $timestamp < wfTimestamp() - $maxage ) {
// Expired token
return false;