Browse Source

Use hash_hmac on cookie hashes.

Taylor Otwell 12 years ago
parent
commit
4eac00a009
3 changed files with 19 additions and 8 deletions
  1. 15 4
      laravel/cookie.php
  2. 3 3
      laravel/tests/cases/cookie.test.php
  3. 1 1
      laravel/tests/cases/session.test.php

+ 15 - 4
laravel/cookie.php

@@ -80,7 +80,7 @@ class Cookie {
 			$expiration = time() + ($expiration * 60);
 		}
 
-		$value = sha1($value.Config::get('application.key')).'+'.$value;
+		$value = static::hash($value).'+'.$value;
 
 		// If the secure option is set to true, yet the request is not over HTTPS
 		// we'll throw an exception to let the developer know that they are
@@ -127,6 +127,17 @@ class Cookie {
 		return static::put($name, null, -2000, $path, $domain, $secure);
 	}
 
+	/**
+	 * Hash the given cookie value.
+	 *
+	 * @param  string  $value
+	 * @return string
+	 */
+	public static function hash($value)
+	{
+		return hash_hmac('sha1', $value, Config::get('application.key'));
+	}
+
 	/**
 	 * Parse a hash fingerprinted cookie value.
 	 *
@@ -142,7 +153,7 @@ class Cookie {
 		// ahead and throw exceptions now since there the cookie is invalid.
 		if ( ! (count($segments) >= 2))
 		{
-			throw new \Exception("Cookie was not set by application.");
+			return null;
 		}
 
 		$value = implode('+', array_slice($segments, 1));
@@ -150,12 +161,12 @@ class Cookie {
 		// Now we will check if the SHA-1 hash present in the first segment matches
 		// the ShA-1 hash of the rest of the cookie value, since the hash should
 		// have been set when the cookie was first created by the application.
-		if ($segments[0] == sha1($value.Config::get('application.key')))
+		if ($segments[0] == static::hash($value))
 		{
 			return $value;
 		}
 
-		throw new \Exception("Cookie has been modified by client.");
+		return null;
 	}
 
 }

+ 3 - 3
laravel/tests/cases/cookie.test.php

@@ -67,7 +67,7 @@ class CookieTest extends \PHPUnit_Framework_TestCase {
 	 */
 	public function testHasMethodIndicatesIfCookieInSet()
 	{
-		Cookie::$jar['foo'] = array('value' => sha1('bar'.Config::get('application.key')).'+bar');
+		Cookie::$jar['foo'] = array('value' => Cookie::hash('bar').'+bar');
 		$this->assertTrue(Cookie::has('foo'));
 		$this->assertFalse(Cookie::has('bar'));
 
@@ -82,7 +82,7 @@ class CookieTest extends \PHPUnit_Framework_TestCase {
 	 */
 	public function testGetMethodCanReturnValueOfCookies()
 	{
-		Cookie::$jar['foo'] = array('value' => sha1('bar'.Config::get('application.key')).'+bar');
+		Cookie::$jar['foo'] = array('value' => Cookie::hash('bar').'+bar');
 		$this->assertEquals('bar', Cookie::get('foo'));
 
 		Cookie::put('bar', 'baz');
@@ -97,7 +97,7 @@ class CookieTest extends \PHPUnit_Framework_TestCase {
 	public function testForeverShouldUseATonOfMinutes()
 	{
 		Cookie::forever('foo', 'bar');
-		$this->assertEquals(sha1('bar'.Config::get('application.key')).'+bar', Cookie::$jar['foo']['value']);
+		$this->assertEquals(Cookie::hash('bar').'+bar', Cookie::$jar['foo']['value']);
 
 		// Shouldn't be able to test this cause while we indicate -2000 seconds 
 		// cookie expiration store timestamp.

+ 1 - 1
laravel/tests/cases/session.test.php

@@ -372,7 +372,7 @@ class SessionTest extends PHPUnit_Framework_TestCase {
 
 		$cookie = Cookie::$jar[Config::get('session.cookie')];
 
-		$this->assertEquals(sha1('foo'.Config::get('application.key')).'+foo', $cookie['value']);
+		$this->assertEquals(Cookie::hash('foo').'+foo', $cookie['value']);
 		// Shouldn't be able to test this cause session.lifetime store number of minutes 
 		// while cookie expiration store timestamp when it going to expired.
 		// $this->assertEquals(Config::get('session.lifetime'), $cookie['expiration']);