vendor/symfony/security-csrf/TokenStorage/SessionTokenStorage.php line 101

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Component\Security\Csrf\TokenStorage;
  14. use Symfony\Component\HttpFoundation\Exception\SessionNotFoundException;
  15. use Symfony\Component\HttpFoundation\Request;
  16. use Symfony\Component\HttpFoundation\RequestStack;
  17. use Symfony\Component\HttpFoundation\Session\Session;
  18. use Symfony\Component\HttpFoundation\Session\SessionInterface;
  19. use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
  20. use Symfony\Component\Security\Csrf\Exception\TokenNotFoundException;
  22. /**
  23. * Token storage that uses a Symfony Session object.
  24. *
  25. * @author Bernhard Schussek <bschussek@gmail.com>
  26. */
  27. class SessionTokenStorage implements ClearableTokenStorageInterface
  28. {
  29. /**
  30. * The namespace used to store values in the session.
  31. */
  32. public const SESSION_NAMESPACE = '_csrf';
  34. private $requestStack;
  35. private $namespace;
  36. /**
  37. * To be removed in Symfony 6.0.
  38. */
  39. private $session;
  41. /**
  42. * Initializes the storage with a RequestStack object and a session namespace.
  43. *
  44. * @param RequestStack $requestStack
  45. * @param string $namespace The namespace under which the token is stored in the requestStack
  46. */
  47. public function __construct(/* RequestStack */ $requestStack, string $namespace = self::SESSION_NAMESPACE)
  48. {
  49. if ($requestStack instanceof SessionInterface) {
  50. trigger_deprecation('symfony/security-csrf', '5.3', 'Passing a "%s" to "%s" is deprecated, use a "%s" instead.', SessionInterface::class, __CLASS__, RequestStack::class);
  51. $request = new Request();
  52. $request->setSession($requestStack);
  54. $requestStack = new RequestStack();
  55. $requestStack->push($request);
  56. }
  57. $this->requestStack = $requestStack;
  58. $this->namespace = $namespace;
  59. }
  61. /**
  62. * {@inheritdoc}
  63. */
  64. public function getToken(string $tokenId)
  65. {
  66. $session = $this->getSession();
  67. if (!$session->isStarted()) {
  68. $session->start();
  69. }
  71. if (!$session->has($this->namespace.'/'.$tokenId)) {
  72. throw new TokenNotFoundException('The CSRF token with ID '.$tokenId.' does not exist.');
  73. }
  75. return (string) $session->get($this->namespace.'/'.$tokenId);
  76. }
  78. /**
  79. * {@inheritdoc}
  80. */
  81. public function setToken(string $tokenId, string $token)
  82. {
  83. $session = $this->getSession();
  84. if (!$session->isStarted()) {
  85. $session->start();
  86. }
  88. $session->set($this->namespace.'/'.$tokenId, $token);
  89. }
  91. /**
  92. * {@inheritdoc}
  93. */
  94. public function hasToken(string $tokenId)
  95. {
  96. $session = $this->getSession();
  97. if (!$session->isStarted()) {
  98. $session->start();
  99. }
  101. return $session->has($this->namespace.'/'.$tokenId);
  102. }
  104. /**
  105. * {@inheritdoc}
  106. */
  107. public function removeToken(string $tokenId)
  108. {
  109. $session = $this->getSession();
  110. if (!$session->isStarted()) {
  111. $session->start();
  112. }
  114. return $session->remove($this->namespace.'/'.$tokenId);
  115. }
  117. /**
  118. * {@inheritdoc}
  119. */
  120. public function clear()
  121. {
  122. $session = $this->getSession();
  123. foreach (array_keys($session->all()) as $key) {
  124. if (str_starts_with($key, $this->namespace.'/')) {
  125. $session->remove($key);
  126. }
  127. }
  128. }
  130. private function getSession(): SessionInterface
  131. {
  132. try {
  133. return $this->session ?? $this->requestStack->getSession();
  134. } catch (SessionNotFoundException $e) {
  135. trigger_deprecation('symfony/security-csrf', '5.3', 'Using the "%s" without a session has no effect and is deprecated. It will throw a "%s" in Symfony 6.0', __CLASS__, SessionNotFoundException::class);
  137. return $this->session ?? $this->session = new Session(new MockArraySessionStorage());
  138. }
  139. }
  140. }