Skip to content

S
syncEnrollments
Commit 4eac00a0 authored by Taylor Otwell's avatar Taylor Otwell
Browse files
Options

Use hash_hmac on cookie hashes.

parent 064309c0
Show whitespace changes
Inline Side-by-side
Showing with 19 additions and 8 deletions
laravel/cookie.php
View file @ 4eac00a0
...@@ -80,7 +80,7 @@ class Cookie { ...@@ -80,7 +80,7 @@ class Cookie {
$expiration = time() + ($expiration * 60); $expiration = time() + ($expiration * 60);
} }
$value = sha1($value.Config::get('application.key')).'+'.$value; $value = static::hash($value).'+'.$value;
// If the secure option is set to true, yet the request is not over HTTPS // If the secure option is set to true, yet the request is not over HTTPS
// we'll throw an exception to let the developer know that they are // we'll throw an exception to let the developer know that they are
...@@ -127,6 +127,17 @@ class Cookie { ...@@ -127,6 +127,17 @@ class Cookie {
return static::put($name, null, -2000, $path, $domain, $secure); return static::put($name, null, -2000, $path, $domain, $secure);
} }
/**
* Hash the given cookie value.
*
* @param string $value
* @return string
*/
public static function hash($value)
{
return hash_hmac('sha1', $value, Config::get('application.key'));
}
/** /**
* Parse a hash fingerprinted cookie value. * Parse a hash fingerprinted cookie value.
* *
...@@ -142,7 +153,7 @@ class Cookie { ...@@ -142,7 +153,7 @@ class Cookie {
// ahead and throw exceptions now since there the cookie is invalid. // ahead and throw exceptions now since there the cookie is invalid.
if ( ! (count($segments) >= 2)) if ( ! (count($segments) >= 2))
{ {
throw new \Exception("Cookie was not set by application."); return null;
} }
$value = implode('+', array_slice($segments, 1)); $value = implode('+', array_slice($segments, 1));
...@@ -150,12 +161,12 @@ class Cookie { ...@@ -150,12 +161,12 @@ class Cookie {
// Now we will check if the SHA-1 hash present in the first segment matches // Now we will check if the SHA-1 hash present in the first segment matches
// the ShA-1 hash of the rest of the cookie value, since the hash should // the ShA-1 hash of the rest of the cookie value, since the hash should
// have been set when the cookie was first created by the application. // have been set when the cookie was first created by the application.
if ($segments[0] == sha1($value.Config::get('application.key'))) if ($segments[0] == static::hash($value))
{ {
return $value; return $value;
} }
throw new \Exception("Cookie has been modified by client."); return null;
} }
} }
laravel/tests/cases/cookie.test.php
View file @ 4eac00a0
...@@ -67,7 +67,7 @@ class CookieTest extends \PHPUnit_Framework_TestCase { ...@@ -67,7 +67,7 @@ class CookieTest extends \PHPUnit_Framework_TestCase {
*/ */
public function testHasMethodIndicatesIfCookieInSet() public function testHasMethodIndicatesIfCookieInSet()
{ {
Cookie::$jar['foo'] = array('value' => sha1('bar'.Config::get('application.key')).'+bar'); Cookie::$jar['foo'] = array('value' => Cookie::hash('bar').'+bar');
$this->assertTrue(Cookie::has('foo')); $this->assertTrue(Cookie::has('foo'));
$this->assertFalse(Cookie::has('bar')); $this->assertFalse(Cookie::has('bar'));
...@@ -82,7 +82,7 @@ class CookieTest extends \PHPUnit_Framework_TestCase { ...@@ -82,7 +82,7 @@ class CookieTest extends \PHPUnit_Framework_TestCase {
*/ */
public function testGetMethodCanReturnValueOfCookies() public function testGetMethodCanReturnValueOfCookies()
{ {
Cookie::$jar['foo'] = array('value' => sha1('bar'.Config::get('application.key')).'+bar'); Cookie::$jar['foo'] = array('value' => Cookie::hash('bar').'+bar');
$this->assertEquals('bar', Cookie::get('foo')); $this->assertEquals('bar', Cookie::get('foo'));
Cookie::put('bar', 'baz'); Cookie::put('bar', 'baz');
...@@ -97,7 +97,7 @@ class CookieTest extends \PHPUnit_Framework_TestCase { ...@@ -97,7 +97,7 @@ class CookieTest extends \PHPUnit_Framework_TestCase {
public function testForeverShouldUseATonOfMinutes() public function testForeverShouldUseATonOfMinutes()
{ {
Cookie::forever('foo', 'bar'); Cookie::forever('foo', 'bar');
$this->assertEquals(sha1('bar'.Config::get('application.key')).'+bar', Cookie::$jar['foo']['value']); $this->assertEquals(Cookie::hash('bar').'+bar', Cookie::$jar['foo']['value']);
// Shouldn't be able to test this cause while we indicate -2000 seconds // Shouldn't be able to test this cause while we indicate -2000 seconds
// cookie expiration store timestamp. // cookie expiration store timestamp.
......
laravel/tests/cases/session.test.php
View file @ 4eac00a0
...@@ -372,7 +372,7 @@ class SessionTest extends PHPUnit_Framework_TestCase { ...@@ -372,7 +372,7 @@ class SessionTest extends PHPUnit_Framework_TestCase {
$cookie = Cookie::$jar[Config::get('session.cookie')]; $cookie = Cookie::$jar[Config::get('session.cookie')];
$this->assertEquals(sha1('foo'.Config::get('application.key')).'+foo', $cookie['value']); $this->assertEquals(Cookie::hash('foo').'+foo', $cookie['value']);
// Shouldn't be able to test this cause session.lifetime store number of minutes // Shouldn't be able to test this cause session.lifetime store number of minutes
// while cookie expiration store timestamp when it going to expired. // while cookie expiration store timestamp when it going to expired.
// $this->assertEquals(Config::get('session.lifetime'), $cookie['expiration']); // $this->assertEquals(Config::get('session.lifetime'), $cookie['expiration']);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment