====== System Security ======
(A whole package of individual elements. From password encryption to measurements to protect against cross-site scripting.)
===== SecureTokens against CrossSiteScripting =====
An essential component to protect against cross-site scripting is the use of tokens in the submission of forms and other change requests.
Website Baker is providing the class **S//ecureTokens//**. This class is always loaded automatically by the core and provides its methods. The configuration of the class and the use of methods has been kept as simple as possible.
==== Explanation of terms ====
**//FTAN//** => This term was chosen based on the **T**rans**A**ctions**N**umbers known from online banking, as they are also valid only for a single transaction within a strictly defined period of time. \\
In contrast to the simple, 4-digit TAN a full FTAN consists of a 16-digit alphanumeric identifier and the associated, also 16-digit, alphanumeric value. Both identifiers and the value change at each request on a random basis.
**//IDKEY//** => The second pillar of the security. It is mainly used to obscure the record IDs in forms and other requests. The ID will be replaced by a unique, 16-digit, alphanumeric value. If the same value is encrypted several times, it **always** obtains a different substitution value. For each request, for each form theoretically an infinite number of IDKEYs can be generated. The IDKEY reliably prevents for instance that on the client side in a change form the real Id of a record can be manipulated before sending and thereby illegally another record would be changed or even deleted.
==== Fixed Settings ====
^ constant ^ value ^ description ^
^ LIFETIME_MIN | 1800 | Minimum lifetime of a token in seconds |
^ LIFETIME_MAX | 7200 | Maximum lifetime of a token in seconds |
^ LIFETIME_STEP | 900 | Adjustable pitch between MIN and MAX in seconds |
^ DEBUG_LIFETIME | 300 | Token lifetime in seconds in DEBUG mode |
The maximum lifetime of the token is set to a sensible, reasonable processing time and should not be extended under any circumstances. Basically all tokens turn invalid when the current session times out. \\
:!: The longer the possible processing time is, the greater is the risk of a successful attack.
----
==== Registry-Settings ====
//(Variable settings)//\\
These four values can be set in the backend under //Settings security//.
**SecTokenLifeTime**\\
The 'life time' of tokens can be adjusted in increments of LIFETIME_STEP-seconds of LIFETIME_MIN to LIFETIME_MAX. \\
The adjustment is made by a corresponding entry in the registry using the Settings of the backend. \\
If a negative value (<0) is entered, the debug mode is activated with a lifetime of DEBUG_LIFTIME-seconds.
**SecTokenFingerprint**\\
Herewith the fingerprinting of the client can be turned completely on (**true**) or off (**false**). \\
Turning it off for security reasons is **not** recommended!
**SecTokenIpv4Netmask**\\
Herewith the IPv4 address network share to verify is specified. Allowed netmask lengths are 1-32 bit. A length of 0 bit logically disables IPv4 checking.
**SecTokenIpv6Netmask**\\
Herewith the IPv6 address network share to verify is specified. Allowed netmask lengths are 1-128 bit. A length of 0 bit logically disables IPv6 checking.
----
==== Available Methods ====
=== ::getFTAN ===
**Prototype:** mixed getFTAN(mixed $mMode = 'POST')\\
Returns the FTAN for the current request. During the first call to getFTAN() within a request a new FTAN is generated, which can then be accessed during the current request several times.
The argument **//$mMode //** defines the return format of the method.
* 'POST' returns an HTML input tag ( //// )
* 'GET' returns a string that can be inserted in a URL argument ( //'FTAN-name=FTAN-value'// )
* 'RAW' returns an array to pass to a template engine, in which the index '**name**' points to the //FTAN-name// and the index '**value**' points to the //FTAN-value//.
=== ::checkFtan ===
**Prototype:** bool checkFTAN(mixed $mMode = 'POST', bool $bPreserve = false)\\
It is checked whether a valid FTAN was passed in the current request. The argument $mMode determines where to look for the FTAN. By default this is $_POST, in any other case $_GET, each valid FTAN found will be immediately deleted from the list of active FTANs. So it can be interrogated strictly only once.
If the FTAN is valid the return value is TRUE or FALSE otherwise.
=== ::getIDKEY ===
**Prototype:** string getIDKEY(mixed $mValue)\\
The value passed to the method is saved and instead a value for a one-time, 16-digit alphanumeric key is returned.
The following data types can be passed: **//String//**, **//Integer//** and **//Array//**. The returned key value is simply transmitted to the client instead of the original value.
=== ::checkIDKEY ===
**Prototype:** mixed checkIDKEY(string $sFieldname, mixed $mDefault = 0, string $sRequest = 'POST'. bool $bPreserve = false)\\
* **//$sRequest//** If this argument contains the value '**//POST//** or **//GET//**, the content of **//$sFieldname//** is used as an identifier of a POST or GET element, whose value is to be decrypted. If it however contains '**//RAW//**' the content of **//$sFieldname//** directly contains the value to be decoded.
* **//$mDefault//** is the value that is returned if the key value is invalid.
=== ::sanitizeLifeTime ===
**Prototype:** integer sanitizeLifeTime(integer $iLifeTime)\\
The supplied integer value is corrected to an available interval between LIFETIME_MIN and LIFETIME_MAX. A negative value when activated DEBUG mode is mapped on DEBUG_LIFETIME, otherwise on LIFETIME_MIN. An invalid value is mapped on LIFETIME_MIN. The calculated value is returned.
=== ::getTokenLifeTime ===
**Prototype:** array getTokenLifeTime(void)\\
Returns an array with the following keys:
^Key ^ Description ^
| min | minimum lifetime in seconds |
| max | maximum lifetime in seconds |
| step | Increment in seconds |
| value| Set duration in seconds |
What are these values needed for? Transfered to the template, one can for instance implement a progress bar that visually displays the time until timeout.
----
==== Examples ====
:!: **Warning** Requests must be unique! The 'action' parameter of a **//form//** tag must not contain any additional URL arguments ( //*.php?x=1// ). Any necessary additional arguments must be passed with ////.
=== Form ===
$sOutput = '
=== Link ===
$sOutput = 'Tu was';
echo $sOutput;
// Evaluation
if ($oReg->App->checkFTAN('GET')) { /* everything OK */ }
$iRecordId = $oReg->App->checkIDKEY('record_id', 0, 'GET');
=== Twig-Template ===
view-script
$aTwigdata['TargetUrl'] = 'index.php';
$aTwigdata['FTAN'] = $oReg->App->getFTAN('RAW');
$aTwigdata['RecordId'] = $oReg->App->getIDKEY($record_id);
twig-template
// Example 1
// Example 2
Do something
save-script
// Example 1
if ($oReg->App->checkFTAN()) {
$record_id = $oReg->App->checkIDKEY('record_id');
[...]
}
// Example 2
if ($oReg->App->checkFTAN('GET')) {
$record_id = $oReg->App->checkIDKEY('record_id', 0, 'GET');
[...]
}