This is an old revision of the document!
This page is not fully translated, yet. Please help completing the translation.
(remove this paragraph once the translation is finished)
(A whole package of individual elements. From password encryption to measurements to protect against cross-site scripting.)
An essential component to protect against cross-site scripting is the use of tokens in the submission of forms and other change requests. Website Baker is providing the class SecureTokens. This class is always loaded automatically by the core and provides its methods. The configuration of the class and the use of methods has been kept as simple as possible.
FTAN ⇒ This term was chosen based on the TransActionsNumbers known from online banking, as they are also valid only for a single transaction within a strictly defined period of time.
In contrast to the simple, 4-digit TAN a full FTAN consists of a 16-digit alphanumeric identifier and the associated, also 16-digit, alphanumeric value. Both identifiers and the value change at each request on a random basis.
IDKEY ⇒ The second pillar of the security. It is mainly used to obscure the record IDs in forms and other requests. The ID will be replaced by a unique, 16-digit, alphanumeric value. If the same value is encrypted several times, it always obtains a different substitution value. For each request, for each form theoretically an infinite number of IDKEYs can be generated. The IDKEY reliably prevents for instance that on the client side in a change form the real Id of a record can be manipulated before sending and thereby illegally another record would be changed or even deleted.
constant | value | description |
---|---|---|
LIFETIME_MIN | 1800 | Minimum lifetime of a token in seconds |
LIFETIME_MAX | 7200 | Maximum lifetime of a token in seconds |
LIFETIME_STEP | 900 | Adjustable pitch between MIN and MAX in seconds |
DEBUG_LIFETIME | 300 | Token lifetime in seconds in DEBUG mode |
The maximum lifetime of the token is set to a sensible, reasonable processing time and should not be extended under any circumstances. Basically all tokens turn invalid when the current session times out.
The longer the possible processing time is, the greater is the risk of a successful attack.
(Variable settings)
These four values can be set in the backend under Settings security.
SecTokenLifeTime
The 'life time' of tokens can be adjusted in increments of LIFETIME_STEP-seconds of LIFETIME_MIN to LIFETIME_MAX.
The adjustment is made by a corresponding entry in the registry using the Settings of the backend.
If a negative value (<0) is entered, the debug mode is activated with a lifetime of DEBUG_LIFTIME-seconds.
SecTokenFingerprint
Herewith the fingerprinting of the client can be turned completely on (true) or off (false).
Turning it off for security reasons is not recommended!
SecTokenIpv4Netmask
Herewith the IPv4 address network share to verify is specified. Allowed netmask lengths are 1-32 bit. A length of 0 bit logically disables IPv4 checking.
SecTokenIpv6Netmask
Herewith the IPv6 address network share to verify is specified. Allowed netmask lengths are 1-128 bit. A length of 0 bit logically disables IPv6 checking.
Prototype: <php>mixed getFTAN(mixed $mMode = 'POST')</php>
Returns the FTAN for the current request. During the first call to getFTAN() within a request a new FTAN is generated, which can then be accessed during the current request several times.
The argument $mMode defines the return format of the method.
Prototype: <php>bool checkFTAN(mixed $mMode = 'POST', bool $bPreserve = false)</php>
It is checked whether a valid FTAN was passed in the current request. The argument $mMode determines where to look for the FTAN. By default this is $_POST, in any other case $_GET, each valid FTAN found will be immediately deleted from the list of active FTANs. So it can be interrogated strictly only once.
If the FTAN is valid the return value is TRUE or FALSE otherwise.
Prototype: <php>string getIDKEY(mixed $mValue)</php>
Der an die Methode übergebene Wert wird gesichert und dafür ein einmaliger, 16-stelliger, alphanumerischer Schlüsselwert zurückgegeben.
Es können folgende Datentypen übergeben werden: String, Integer und Array. Der zurückgegebene Schlüsselwert wird einfach anstatt des Originalwertes an den Client gesendet.
Prototype: <php>mixed checkIDKEY(string $sFieldname, mixed $mDefault = 0, string $sRequest = 'POST'. bool $bPreserve = false)</php>
Prototype: <php>integer sanitizeLifeTime(integer $iLifeTime)</php>
Ein übergebener Integer-Wert wird auf eine verfügbare Intervallstufe zwischen LIFETIME_MIN und LIFETIME_MAX korrigiert. Ein negativer Wert bei aktiviertem DEBUG-Modus auf DEBUG_LIFETIME, ansonsten auf LIFETIME_MIN. Ein ungültiger Wert grundsätzlich auf LIFETIME_MIN. Der berechnete Wert wird zurückgegeben.
Prototype: <php>array getTokenLifeTime(void)</php>
Gibt ein Array mit folgenden Schlüsseln zurück:
Schlüssel | Beschreibung |
---|---|
min | minimale Lebensdauer in Sekunden |
max | maximale Lebensdauer in Sekunden |
step | Schrittweite in Sekunden |
value | Eingestellte Laufzeit in Sekunden |
Wozu werden diese Werte benötigt? An das Template übergeben, lässt sich z.B. eine Fortschrittsanzeige realisieren, die optisch die Zeit bis zum Timeout anzeigt.
Achtung: Requests müssen eindeutig sein! Der 'action' Parameter eines form Tags darf keine zusätzlichen URL-Argumente ( *.php?x=1 ) enthalten. Eventuell notwendige Zusatzargumente müssen mit <input type=“hidden” …> übergeben werden.
<PHP> $sOutput = '<form method=“post” action=“index.php”>'
. $oReg->App->getFTAN() . '<input type="hidden" name="record_id" value="'.$oReg->App->getIDKEY($iRecordId).'">';
echo $sOutput;
Auswertung if ($oReg→App→checkFTAN('POST')) { } $iRecordId = $oReg→App→checkIDKEY('record_id', 0, 'POST'); </PHP> === Link === <PHP> $sOutput = '<a href=“index.php?'.$oReg→App→getFTAN('GET').'&record_id=' . $oReg→App→getIDKEY($iRecordId),'” title=“xx”>Tu was</a>'; echo $sOutput; Auswertung
if ($oReg→App→checkFTAN('GET')) { }
$iRecordId = $oReg→App→checkIDKEY('record_id', 0, 'GET'); </PHP>
<PHP> view-script
$aTwigdata['TargetUrl'] = 'index.php'; $aTwigdata['FTAN'] = $oReg→App→getFTAN('RAW'); $aTwigdata['RecordId'] = $oReg→App→getIDKEY($record_id); </PHP> <PHP> twig-template
Beispiel 1 <form method=“post” action=“targeturl”> <input type=“hidden” name=“ftan.name” value=“ftan.value”> <input type=“hidden” name=“record_id” value=“recordid”> […] </form> Beispiel 2 <a href=“targeturl?ftan.name=ftan.value&record_id=recordid” title=“xx”>Tu was</a> </PHP> <PHP> save-script
Beispiel 1 if ($oReg→App→checkFTAN()) { $record_id = $oReg→App→checkIDKEY('record_id'); […] } Beispiel 2 if ($oReg→App→checkFTAN('GET')) {
$record_id = $oReg->App->checkIDKEY('record_id', 0, 'GET'); [...]
} </PHP>