class CsrfTokenGenerator
Same name in other branches
- 8.9.x core/lib/Drupal/Core/Access/CsrfTokenGenerator.php \Drupal\Core\Access\CsrfTokenGenerator
- 10 core/lib/Drupal/Core/Access/CsrfTokenGenerator.php \Drupal\Core\Access\CsrfTokenGenerator
- 11.x core/lib/Drupal/Core/Access/CsrfTokenGenerator.php \Drupal\Core\Access\CsrfTokenGenerator
Generates and validates CSRF tokens.
Hierarchy
- class \Drupal\Core\Access\CsrfTokenGenerator
Expanded class hierarchy of CsrfTokenGenerator
See also
\Drupal\Tests\Core\Access\CsrfTokenGeneratorTest
15 files declare their use of CsrfTokenGenerator
- AjaxBasePageNegotiator.php in core/
lib/ Drupal/ Core/ Theme/ AjaxBasePageNegotiator.php - AjaxBasePageNegotiatorTest.php in core/
tests/ Drupal/ Tests/ Core/ Theme/ AjaxBasePageNegotiatorTest.php - BatchStorage.php in core/
lib/ Drupal/ Core/ Batch/ BatchStorage.php - CsrfTokenController.php in core/
modules/ system/ src/ Controller/ CsrfTokenController.php - CsrfTokenGeneratorTest.php in core/
tests/ Drupal/ Tests/ Core/ Access/ CsrfTokenGeneratorTest.php
1 string reference to 'CsrfTokenGenerator'
- core.services.yml in core/
core.services.yml - core/core.services.yml
1 service uses CsrfTokenGenerator
File
-
core/
lib/ Drupal/ Core/ Access/ CsrfTokenGenerator.php, line 15
Namespace
Drupal\Core\AccessView source
class CsrfTokenGenerator {
/**
* The private key service.
*
* @var \Drupal\Core\PrivateKey
*/
protected $privateKey;
/**
* The session metadata bag.
*
* @var \Drupal\Core\Session\MetadataBag
*/
protected $sessionMetadata;
/**
* Constructs the token generator.
*
* @param \Drupal\Core\PrivateKey $private_key
* The private key service.
* @param \Drupal\Core\Session\MetadataBag $session_metadata
* The session metadata bag.
*/
public function __construct(PrivateKey $private_key, MetadataBag $session_metadata) {
$this->privateKey = $private_key;
$this->sessionMetadata = $session_metadata;
}
/**
* Generates a token based on $value, the user session, and the private key.
*
* The generated token is based on the session of the current user. Normally,
* anonymous users do not have a session, so the generated token will be
* different on every page request. To generate a token for users without a
* session, manually start a session prior to calling this function.
*
* @param string $value
* (optional) An additional value to base the token on.
*
* @return string
* A 43-character URL-safe token for validation, based on the token seed,
* the hash salt provided by Settings::getHashSalt(), and the
* 'drupal_private_key' configuration variable.
*
* @see \Drupal\Core\Site\Settings::getHashSalt()
* @see \Symfony\Component\HttpFoundation\Session\SessionInterface::start()
*/
public function get($value = '') {
$seed = $this->sessionMetadata
->getCsrfTokenSeed();
if (empty($seed)) {
$seed = Crypt::randomBytesBase64();
$this->sessionMetadata
->setCsrfTokenSeed($seed);
}
return $this->computeToken($seed, $value);
}
/**
* Validates a token based on $value, the user session, and the private key.
*
* @param string $token
* The token to be validated.
* @param string $value
* (optional) An additional value to base the token on.
*
* @return bool
* TRUE for a valid token, FALSE for an invalid token.
*/
public function validate($token, $value = '') {
$seed = $this->sessionMetadata
->getCsrfTokenSeed();
if (empty($seed)) {
return FALSE;
}
$value = $this->computeToken($seed, $value);
// PHP 8.0 strictly typehints for hash_equals. Maintain BC until we can
// enforce scalar typehints on this method.
if (!is_string($token)) {
return FALSE;
}
return hash_equals($value, $token);
}
/**
* Generates a token based on $value, the token seed, and the private key.
*
* @param string $seed
* The per-session token seed.
* @param string $value
* (optional) An additional value to base the token on.
*
* @return string
* A 43-character URL-safe token for validation, based on the token seed,
* the hash salt provided by Settings::getHashSalt(), and the site private
* key.
*
* @see \Drupal\Core\Site\Settings::getHashSalt()
*/
protected function computeToken($seed, $value = '') {
return Crypt::hmacBase64($value, $seed . $this->privateKey
->get() . Settings::getHashSalt());
}
}
Members
Title Sort descending | Modifiers | Object type | Summary |
---|---|---|---|
CsrfTokenGenerator::$privateKey | protected | property | The private key service. |
CsrfTokenGenerator::$sessionMetadata | protected | property | The session metadata bag. |
CsrfTokenGenerator::computeToken | protected | function | Generates a token based on $value, the token seed, and the private key. |
CsrfTokenGenerator::get | public | function | Generates a token based on $value, the user session, and the private key. |
CsrfTokenGenerator::validate | public | function | Validates a token based on $value, the user session, and the private key. |
CsrfTokenGenerator::__construct | public | function | Constructs the token generator. |
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.