master/php/Token_8php_source.html

<?php

namespace MediaWiki\Session;


class Token {

    public const SUFFIX = '+\\';


    private $secret;


    private $salt;


    private $new;


    public function __construct( $secret, $salt, $new = false ) {

        $this->secret = $secret;

        $this->salt = $salt;

        $this->new = $new;

    }


    public static function getTimestamp( $token ) {

        $suffixLen = strlen( self::SUFFIX );

        $len = strlen( $token );

        if ( $len <= 32 + $suffixLen ||

            substr( $token, -$suffixLen ) !== self::SUFFIX ||

            strspn( $token, '0123456789abcdef' ) + $suffixLen !== $len

        ) {

            return null;

        }


        return hexdec( substr( $token, 32, -$suffixLen ) );

    }


    protected function toStringAtTimestamp( $timestamp ) {

        return hash_hmac( 'md5', $timestamp . $this->salt, $this->secret, false ) .

            dechex( $timestamp ) .

            self::SUFFIX;

    }


    public function toString() {

        return $this->toStringAtTimestamp( (int)wfTimestamp( TS_UNIX ) );

    }


    public function __toString() {

        return $this->toString();

    }


    public function match( $userToken, $maxAge = null ) {

        if ( !$userToken ) {

            return false;

        }

        $timestamp = self::getTimestamp( $userToken );

        if ( $timestamp === null ) {

            return false;

        }

        if ( $maxAge !== null && $timestamp < (int)wfTimestamp( TS_UNIX ) - $maxAge ) {

            // Expired token

            return false;

        }


        $sessionToken = $this->toStringAtTimestamp( $timestamp );

        return hash_equals( $sessionToken, $userToken );

    }


    public function wasNew() {

        return $this->new;

    }


}


wfTimestamp
wfTimestamp( $outputtype=TS_UNIX, $ts=0)
Get a timestamp string in one of various formats.
Definition GlobalFunctions.php:1365

getTimestamp
getTimestamp()
Definition RevisionSearchResultTrait.php:197

MediaWiki\Session\Token
Value object representing a CSRF token.
Definition Token.php:32

MediaWiki\Session\Token\__toString
__toString()
Definition Token.php:99

MediaWiki\Session\Token\match
match( $userToken, $maxAge=null)
Test if the token-string matches this token.
Definition Token.php:109

MediaWiki\Session\Token\__construct
__construct( $secret, $salt, $new=false)
Definition Token.php:52

MediaWiki\Session\Token\toString
toString()
Get the string representation of the token.
Definition Token.php:95

MediaWiki\Session\Token\wasNew
wasNew()
Indicate whether this token was just created.
Definition Token.php:130

MediaWiki\Session\Token\toStringAtTimestamp
toStringAtTimestamp( $timestamp)
Get the string representation of the token at a timestamp.
Definition Token.php:85

MediaWiki\Session\Token\SUFFIX
const SUFFIX
CSRF token suffix.
Definition Token.php:36

MediaWiki\Session\Token\getTimestamp
static getTimestamp( $token)
Decode the timestamp from a token string.
Definition Token.php:67

MediaWiki\Session
Definition BotPasswordSessionProvider.php:24