class CsrfTokenGenerator

Same name and namespace in other branches
  1. 9 core/lib/Drupal/Core/Access/CsrfTokenGenerator.php \Drupal\Core\Access\CsrfTokenGenerator
  2. 8.9.x core/lib/Drupal/Core/Access/CsrfTokenGenerator.php \Drupal\Core\Access\CsrfTokenGenerator
  3. 10 core/lib/Drupal/Core/Access/CsrfTokenGenerator.php \Drupal\Core\Access\CsrfTokenGenerator

Generates and validates CSRF tokens.

Hierarchy

Expanded class hierarchy of CsrfTokenGenerator

See also

\Drupal\Tests\Core\Access\CsrfTokenGeneratorTest

11 files declare their use of CsrfTokenGenerator
AjaxBasePageNegotiator.php in core/lib/Drupal/Core/Theme/AjaxBasePageNegotiator.php
AjaxBasePageNegotiatorTest.php in core/tests/Drupal/Tests/Core/Theme/AjaxBasePageNegotiatorTest.php
BatchStorage.php in core/lib/Drupal/Core/Batch/BatchStorage.php
CsrfTokenController.php in core/modules/system/src/Controller/CsrfTokenController.php
CsrfTokenGeneratorTest.php in core/tests/Drupal/Tests/Core/Access/CsrfTokenGeneratorTest.php

... See full list

File

core/lib/Drupal/Core/Access/CsrfTokenGenerator.php, line 15

Namespace

Drupal\Core\Access
View source 
class CsrfTokenGenerator {
    
    /**
     * The private key service.
     *
     * @var \Drupal\Core\PrivateKey
     */
    protected $privateKey;
    
    /**
     * The session metadata bag.
     *
     * @var \Drupal\Core\Session\MetadataBag
     */
    protected $sessionMetadata;
    
    /**
     * Constructs the token generator.
     *
     * @param \Drupal\Core\PrivateKey $private_key
     *   The private key service.
     * @param \Drupal\Core\Session\MetadataBag $session_metadata
     *   The session metadata bag.
     */
    public function __construct(PrivateKey $private_key, MetadataBag $session_metadata) {
        $this->privateKey = $private_key;
        $this->sessionMetadata = $session_metadata;
    }
    
    /**
     * Generates a token based on $value, the user session, and the private key.
     *
     * The generated token is based on the session of the current user. Normally,
     * anonymous users do not have a session, so the generated token will be
     * different on every page request. To generate a token for users without a
     * session, manually start a session prior to calling this function.
     *
     * @param string $value
     *   (optional) An additional value to base the token on.
     *
     * @return string
     *   A 43-character URL-safe token for validation, based on the token seed,
     *   the hash salt provided by Settings::getHashSalt(), and the
     *   'drupal_private_key' configuration variable.
     *
     * @see \Drupal\Core\Site\Settings::getHashSalt()
     * @see \Symfony\Component\HttpFoundation\Session\SessionInterface::start()
     */
    public function get($value = '') {
        $seed = $this->sessionMetadata
            ->getCsrfTokenSeed();
        if (empty($seed)) {
            $seed = Crypt::randomBytesBase64();
            $this->sessionMetadata
                ->setCsrfTokenSeed($seed);
        }
        return $this->computeToken($seed, $value);
    }
    
    /**
     * Validates a token based on $value, the user session, and the private key.
     *
     * @param string $token
     *   The token to be validated.
     * @param string $value
     *   (optional) An additional value to base the token on.
     *
     * @return bool
     *   TRUE for a valid token, FALSE for an invalid token.
     */
    public function validate($token, $value = '') {
        $seed = $this->sessionMetadata
            ->getCsrfTokenSeed();
        if (empty($seed)) {
            return FALSE;
        }
        $value = $this->computeToken($seed, $value);
        // PHP 8.0 strictly type hints for hash_equals. Maintain BC until we can
        // enforce scalar type hints on this method.
        if (!is_string($token)) {
            return FALSE;
        }
        return hash_equals($value, $token);
    }
    
    /**
     * Generates a token based on $value, the token seed, and the private key.
     *
     * @param string $seed
     *   The per-session token seed.
     * @param string $value
     *   (optional) An additional value to base the token on.
     *
     * @return string
     *   A 43-character URL-safe token for validation, based on the token seed,
     *   the hash salt provided by Settings::getHashSalt(), and the site private
     *   key.
     *
     * @see \Drupal\Core\Site\Settings::getHashSalt()
     */
    protected function computeToken($seed, $value = '') {
        return Crypt::hmacBase64($value, $seed . $this->privateKey
            ->get() . Settings::getHashSalt());
    }

}

Members

Title Modifiers Object type Summary
CsrfTokenGenerator::$privateKey protected property The private key service.
CsrfTokenGenerator::$sessionMetadata protected property The session metadata bag.
CsrfTokenGenerator::computeToken protected function Generates a token based on $value, the token seed, and the private key.
CsrfTokenGenerator::get public function Generates a token based on $value, the user session, and the private key.
CsrfTokenGenerator::validate public function Validates a token based on $value, the user session, and the private key.
CsrfTokenGenerator::__construct public function Constructs the token generator.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.