User Tools

Site Tools


System Security

(A whole package of individual elements. From password encryption to measurements to protect against cross-site scripting.)

SecureTokens against CrossSiteScripting

An essential component to protect against cross-site scripting is the use of tokens in the submission of forms and other change requests. Website Baker is providing the class SecureTokens. This class is always loaded automatically by the core and provides its methods. The configuration of the class and the use of methods has been kept as simple as possible.

Explanation of terms

FTAN ⇒ This term was chosen based on the TransActionsNumbers known from online banking, as they are also valid only for a single transaction within a strictly defined period of time.
In contrast to the simple, 4-digit TAN a full FTAN consists of a 16-digit alphanumeric identifier and the associated, also 16-digit, alphanumeric value. Both identifiers and the value change at each request on a random basis.

IDKEY ⇒ The second pillar of the security. It is mainly used to obscure the record IDs in forms and other requests. The ID will be replaced by a unique, 16-digit, alphanumeric value. If the same value is encrypted several times, it always obtains a different substitution value. For each request, for each form theoretically an infinite number of IDKEYs can be generated. The IDKEY reliably prevents for instance that on the client side in a change form the real Id of a record can be manipulated before sending and thereby illegally another record would be changed or even deleted.

Fixed Settings

constant value description
LIFETIME_MIN 1800 Minimum lifetime of a token in seconds
LIFETIME_MAX 7200 Maximum lifetime of a token in seconds
LIFETIME_STEP 900 Adjustable pitch between MIN and MAX in seconds
DEBUG_LIFETIME 300 Token lifetime in seconds in DEBUG mode

The maximum lifetime of the token is set to a sensible, reasonable processing time and should not be extended under any circumstances. Basically all tokens turn invalid when the current session times out.
:!: The longer the possible processing time is, the greater is the risk of a successful attack.


(Variable settings)
These four values can be set in the backend under Settings security.

The 'life time' of tokens can be adjusted in increments of LIFETIME_STEP-seconds of LIFETIME_MIN to LIFETIME_MAX.
The adjustment is made by a corresponding entry in the registry using the Settings of the backend.
If a negative value (<0) is entered, the debug mode is activated with a lifetime of DEBUG_LIFTIME-seconds.

Herewith the fingerprinting of the client can be turned completely on (true) or off (false).
Turning it off for security reasons is not recommended!

Herewith the IPv4 address network share to verify is specified. Allowed netmask lengths are 1-32 bit. A length of 0 bit logically disables IPv4 checking.

Herewith the IPv6 address network share to verify is specified. Allowed netmask lengths are 1-128 bit. A length of 0 bit logically disables IPv6 checking.

Available Methods


Prototype: mixed getFTAN(mixed $mMode = 'POST')
Returns the FTAN for the current request. During the first call to getFTAN() within a request a new FTAN is generated, which can then be accessed during the current request several times. The argument $mMode defines the return format of the method.

  • 'POST' returns an HTML input tag ( <input type=“hidden” name=“FTAN-name” value=“FTAN-value” title=“”> )
  • 'GET' returns a string that can be inserted in a URL argument ( 'FTAN-name=FTAN-value' )
  • 'RAW' returns an array to pass to a template engine, in which the index 'name' points to the FTAN-name and the index 'value' points to the FTAN-value.


Prototype: bool checkFTAN(mixed $mMode = 'POST', bool $bPreserve = false)
It is checked whether a valid FTAN was passed in the current request. The argument $mMode determines where to look for the FTAN. By default this is $_POST, in any other case $_GET, each valid FTAN found will be immediately deleted from the list of active FTANs. So it can be interrogated strictly only once. If the FTAN is valid the return value is TRUE or FALSE otherwise.


Prototype: string getIDKEY(mixed $mValue)
The value passed to the method is saved and instead a value for a one-time, 16-digit alphanumeric key is returned. The following data types can be passed: String, Integer and Array. The returned key value is simply transmitted to the client instead of the original value.


Prototype: mixed checkIDKEY(string $sFieldname, mixed $mDefault = 0, string $sRequest = 'POST'. bool $bPreserve = false)

  • $sRequest If this argument contains the value 'POST or GET, the content of $sFieldname is used as an identifier of a POST or GET element, whose value is to be decrypted. If it however contains 'RAW' the content of $sFieldname directly contains the value to be decoded.
  • $mDefault is the value that is returned if the key value is invalid.


Prototype: integer sanitizeLifeTime(integer $iLifeTime)
The supplied integer value is corrected to an available interval between LIFETIME_MIN and LIFETIME_MAX. A negative value when activated DEBUG mode is mapped on DEBUG_LIFETIME, otherwise on LIFETIME_MIN. An invalid value is mapped on LIFETIME_MIN. The calculated value is returned.


Prototype: array getTokenLifeTime(void)
Returns an array with the following keys:

Key Description
min minimum lifetime in seconds
max maximum lifetime in seconds
step Increment in seconds
value Set duration in seconds

What are these values needed for? Transfered to the template, one can for instance implement a progress bar that visually displays the time until timeout.


:!: Warning Requests must be unique! The 'action' parameter of a form tag must not contain any additional URL arguments ( *.php?x=1 ). Any necessary additional arguments must be passed with <input type=“hidden” …>.


$sOutput = '<form method="post" action="index.php">'
         . $oReg->App->getFTAN()
         . '<input type="hidden" name="record_id" value="'.$oReg->App->getIDKEY($iRecordId).'">';
echo $sOutput;    
// Evaluation
if ($oReg->App->checkFTAN('POST')) { /* everythig OK */ }
$iRecordId = $oReg->App->checkIDKEY('record_id', 0, 'POST');
$sOutput = '<a href="index.php?'.$oReg->App->getFTAN('GET').'&record_id='
         . $oReg->App->getIDKEY($iRecordId),'" title="xx">Tu was</a>';
echo $sOutput;    
// Evaluation
if ($oReg->App->checkFTAN('GET')) { /* everything OK */ }
$iRecordId = $oReg->App->checkIDKEY('record_id', 0, 'GET');


$aTwigdata['TargetUrl'] = 'index.php';
$aTwigdata['FTAN']      = $oReg->App->getFTAN('RAW');
$aTwigdata['RecordId']  = $oReg->App->getIDKEY($record_id);
// Example 1
 <form method="post" action="{{ TargetUrl }}">
   <input type="hidden" name="{{ }}" value="{{ FTAN.value }}">
   <input type="hidden" name="record_id" value="{{ RecordId }}">
// Example 2
 <a href="{{ TargetUrl }}?{{ }}={{ FTAN.value }}&record_id={{ RecordId }}" title="xx">Do something</a>
// Example 1
if ($oReg->App->checkFTAN()) {
    $record_id = $oReg->App->checkIDKEY('record_id');
// Example 2
if ($oReg->App->checkFTAN('GET')) {
    $record_id = $oReg->App->checkIDKEY('record_id', 0, 'GET');
en/dev/284/security.txt · Last modified: 24.03.2016 21:41 by Martin Hecht