Sections

Class Phalcon\Security

Source on GitHub

Namespace Phalcon   Uses Phalcon\Di\DiInterface, Phalcon\Di\AbstractInjectionAware, Phalcon\Http\RequestInterface, Phalcon\Security\Random, Phalcon\Security\Exception, Phalcon\Session\ManagerInterface   Extends AbstractInjectionAware

This component provides a set of functions to improve the security in Phalcon applications

$login    = $this->request->getPost("login");
$password = $this->request->getPost("password");

$user = Users::findFirstByLogin($login);

if ($user) {
    if ($this->security->checkHash($password, $user->password)) {
        // The password is valid
    }
}

Constants

const CRYPT_BLOWFISH = 4;
const CRYPT_BLOWFISH_A = 5;
const CRYPT_BLOWFISH_X = 6;
const CRYPT_BLOWFISH_Y = 7;
const CRYPT_DEFAULT = 0;
const CRYPT_EXT_DES = 2;
const CRYPT_MD5 = 3;
const CRYPT_SHA256 = 8;
const CRYPT_SHA512 = 9;
const CRYPT_STD_DES = 1;

Properties

/**
 * @var int|null
 */
protected defaultHash;

/**
 * @var int
 */
protected numberBytes = 16;

/**
 * @var Random
 */
protected random;

/**
 * @var string}null
 */
protected requestToken;

/**
 * @var string|null
 */
protected token;

/**
 * @var string|null
 */
protected tokenKey;

/**
 * @var string
 */
protected tokenKeySessionId = $PHALCON/CSRF/KEY$;

/**
 * @var string
 */
protected tokenValueSessionId = $PHALCON/CSRF$;

/**
 * @var int
 */
protected workFactor = 10;

/**
 * @var SessionInterface|null
 */
private localSession;

/**
 * @var RequestInterface|null
 */
private localRequest;

Metody

public function __construct( SessionInterface $session = null, RequestInterface $request = null );

Phalcon\Security constructor

public function checkHash( string $password, string $passwordHash, int $maxPassLength = int ): bool;

Checks a plain text password and its hash version to check if the password matches

public function checkToken( mixed $tokenKey = null, mixed $tokenValue = null, bool $destroyIfValid = bool ): bool;

Check if the CSRF token sent in the request is the same that the current in session

public function computeHmac( string $data, string $key, string $algo, bool $raw = bool ): string;

Computes a HMAC

public function destroyToken(): Security;

Removes the value of the CSRF token and key from session

public function getDefaultHash(): int | null;

Returns the default hash

public function getRandom(): Random;

Returns a secure random number generator instance

public function getRandomBytes(): int;

Returns a number of bytes to be generated by the openssl pseudo random generator

public function getRequestToken(): string | null;

Returns the value of the CSRF token for the current request.

public function getSaltBytes( int $numberBytes = int ): string;

Generate a >22-length pseudo random string to be used as salt for passwords

public function getSessionToken(): string | null;

Returns the value of the CSRF token in session

public function getToken(): string;

Generates a pseudo random token value to be used as input’s value in a CSRF check

public function getTokenKey(): string;

Generates a pseudo random token key to be used as input’s name in a CSRF check

public function getWorkFactor(): int
public function hash( string $password, int $workFactor = int ): string;

Creates a password hash using bcrypt with a pseudo random salt

public function isLegacyHash( string $passwordHash ): bool;

Checks if a password hash is a valid bcrypt’s hash

public function setDefaultHash( int $defaultHash ): Security;

Sets the default hash

public function setRandomBytes( int $randomBytes ): Security;

Sets a number of bytes to be generated by the openssl pseudo random generator

public function setWorkFactor( int $workFactor ): Security;

Sets the work factor

Class Phalcon\Security\Exception

Source on GitHub

Namespace Phalcon\Security   Extends \Phalcon\Exception

Phalcon\Security\Exception

Exceptions thrown in Phalcon\Security will use this class

Class Phalcon\Security\Random

Source on GitHub

Namespace Phalcon\Security

Phalcon\Security\Random

Secure random number generator class.

Provides secure random number generator which is suitable for generating session key in HTTP cookies, etc.

Phalcon\Security\Random could be mainly useful for:

  • Key generation (e.g. generation of complicated keys)
  • Generating random passwords for new user accounts
  • Encryption systems
$random = new \Phalcon\Security\Random();

// Random binary string
$bytes = $random->bytes();

// Random hex string
echo $random->hex(10); // a29f470508d5ccb8e289
echo $random->hex(10); // 533c2f08d5eee750e64a
echo $random->hex(11); // f362ef96cb9ffef150c9cd
echo $random->hex(12); // 95469d667475125208be45c4
echo $random->hex(13); // 05475e8af4a34f8f743ab48761

// Random base62 string
echo $random->base62(); // z0RkwHfh8ErDM1xw

// Random base64 string
echo $random->base64(12); // XfIN81jGGuKkcE1E
echo $random->base64(12); // 3rcq39QzGK9fUqh8
echo $random->base64();   // DRcfbngL/iOo9hGGvy1TcQ==
echo $random->base64(16); // SvdhPcIHDZFad838Bb0Swg==

// Random URL-safe base64 string
echo $random->base64Safe();           // PcV6jGbJ6vfVw7hfKIFDGA
echo $random->base64Safe();           // GD8JojhzSTrqX7Q8J6uug
echo $random->base64Safe(8);          // mGyy0evy3ok
echo $random->base64Safe(null, true); // DRrAgOFkS4rvRiVHFefcQ==

// Random UUID
echo $random->uuid(); // db082997-2572-4e2c-a046-5eefe97b1235
echo $random->uuid(); // da2aa0e2-b4d0-4e3c-99f5-f5ef62c57fe2
echo $random->uuid(); // 75e6b628-c562-4117-bb76-61c4153455a9
echo $random->uuid(); // dc446df1-0848-4d05-b501-4af3c220c13d

// Random number between 0 and $len
echo $random->number(256); // 84
echo $random->number(256); // 79
echo $random->number(100); // 29
echo $random->number(300); // 40

// Random base58 string
echo $random->base58();   // 4kUgL2pdQMSCQtjE
echo $random->base58();   // Umjxqf7ZPwh765yR
echo $random->base58(24); // qoXcgmw4A9dys26HaNEdCRj9
echo $random->base58(7);  // 774SJD3vgP

This class partially borrows SecureRandom library from Ruby

@link http://ruby-doc.org/stdlib-2.2.2/libdoc/securerandom/rdoc/SecureRandom.html

Metody

public function base58( int $len = null ): string;

Generates a random base58 string

If $len is not specified, 16 is assumed. It may be larger in future. The result may contain alphanumeric characters except 0, O, I and l.

It is similar to Phalcon\Security\Random::base64() but has been modified to avoid both non-alphanumeric characters and letters which might look ambiguous when printed.

$random = new \Phalcon\Security\Random();

echo $random->base58(); // 4kUgL2pdQMSCQtjE

@see \Phalcon\Security\Random:base64 @link https://en.wikipedia.org/wiki/Base58 @throws Exception If secure random number generator is not available or unexpected partial read

public function base62( int $len = null ): string;

Generates a random base62 string

If $len is not specified, 16 is assumed. It may be larger in future.

It is similar to Phalcon\Security\Random::base58() but has been modified to provide the largest value that can safely be used in URLs without needing to take extra characters into consideration because it is [A-Za-z0-9].

$random = new \Phalcon\Security\Random();

echo $random->base62(); // z0RkwHfh8ErDM1xw

@see \Phalcon\Security\Random:base58 @throws Exception If secure random number generator is not available or unexpected partial read

public function base64( int $len = null ): string;

Generates a random base64 string

If $len is not specified, 16 is assumed. It may be larger in future. The length of the result string is usually greater of $len. Size formula: 4($len / 3) rounded up to a multiple of 4.

$random = new \Phalcon\Security\Random();

echo $random->base64(12); // 3rcq39QzGK9fUqh8

@throws Exception If secure random number generator is not available or unexpected partial read

public function base64Safe( int $len = null, bool $padding = bool ): string;

Generates a random URL-safe base64 string

If $len is not specified, 16 is assumed. It may be larger in future. The length of the result string is usually greater of $len.

By default, padding is not generated because “=” may be used as a URL delimiter. The result may contain A-Z, a-z, 0-9, “-“ and “_”. “=” is also used if $padding is true. See RFC 3548 for the definition of URL-safe base64.

$random = new \Phalcon\Security\Random();

echo $random->base64Safe(); // GD8JojhzSTrqX7Q8J6uug

@link https://www.ietf.org/rfc/rfc3548.txt @throws Exception If secure random number generator is not available or unexpected partial read

public function bytes( int $len = int ): string;

Generates a random binary string

The Random::bytes method returns a string and accepts as input an int representing the length in bytes to be returned.

If $len is not specified, 16 is assumed. It may be larger in future. The result may contain any byte: “x00” - “xFF”.

$random = new \Phalcon\Security\Random();

$bytes = $random->bytes();
var_dump(bin2hex($bytes));
// Possible output: string(32) "00f6c04b144b41fad6a59111c126e1ee"

@throws Exception If secure random number generator is not available or unexpected partial read

public function hex( int $len = null ): string;

Generates a random hex string

If $len is not specified, 16 is assumed. It may be larger in future. The length of the result string is usually greater of $len.

$random = new \Phalcon\Security\Random();

echo $random->hex(10); // a29f470508d5ccb8e289

@throws Exception If secure random number generator is not available or unexpected partial read

public function number( int $len ): int;

Generates a random number between 0 and $len

Returns an integer: 0 <= result <= $len.

$random = new \Phalcon\Security\Random();

echo $random->number(16); // 8

@throws Exception If secure random number generator is not available, unexpected partial read or $len <= 0

public function uuid(): string;

Generates a v4 random UUID (Universally Unique IDentifier)

The version 4 UUID is purely random (except the version). It doesn’t contain meaningful information such as MAC address, time, etc. See RFC 4122 for details of UUID.

This algorithm sets the version number (4 bits) as well as two reserved bits. All other bits (the remaining 122 bits) are set using a random or pseudorandom data source. Version 4 UUIDs have the form xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx where x is any hexadecimal digit and y is one of 8, 9, A, or B (e.g., f47ac10b-58cc-4372-a567-0e02b2c3d479).

$random = new \Phalcon\Security\Random();

echo $random->uuid(); // 1378c906-64bb-4f81-a8d6-4ae1bfcdec22

@link https://www.ietf.org/rfc/rfc4122.txt @throws Exception If secure random number generator is not available or unexpected partial read

protected function base( string $alphabet, int $base, mixed $n = null ): string;

Generates a random string based on the number ($base) of characters ($alphabet).

If $n is not specified, 16 is assumed. It may be larger in future.

@throws Exception If secure random number generator is not available or unexpected partial read