Session

Check if an email address is valid.

Note that valid email addresses can contain database-unsafe characters such as single quotes.

Validate URL.

Only accepts http:// and https:// protocol and ASCII characters. Other protocols and internationalised domain names will fail validation due to limitation of filter.

URL-encode and escape a query string for use in a URL.

Trims, checks for UTF-8 compliance, rawurlencodes and then escapes with htmlspecialchars(). If you wish to use the data on a landing page you must decode it with htmlspecialchars_decode() followed by rawurldecode() in that order. But really, if you are using any characters that need to be encoded in the first place you should probably just stop.

Check that a string is comprised solely of alphanumeric characters.

Accented regional characters are rejected. This method is designed to be used to check database identifiers or object property names.

Check that a string is comprised solely of alphanumeric characters and underscores.

Accented regional characters are rejected. This method is designed to be used to check database identifiers or object property names.

Check that a string is comprised solely of alphabetical characters.

Tolerates vanilla ASCII only. Accented regional characters are rejected. This method is designed to be used to check database identifiers or object property names.

Check if the character encoding of text is UTF-8.

All strings received from external sources must be passed through this function, particularly prior to storage in the database.

Cast to string, check UTF-8 encoding and strip trailing whitespace and control characters.

Removes trailing whitespace and control characters (ASCII <= 32 / UTF-8 points 0-32 inclusive), checks for UTF-8 character set and casts input to a string. Note that the data returned by this function still requires escaping at the point of use; it is not database or XSS safe.

As the input is cast to a string do NOT apply this function to non-string types (int, float, bool, object, resource, null, array, etc).

Constructor.

Unset session variables and destroy the session.

Returns a login or logout link for insertion in the template.

Shorthand admin privileges check.

For added security this could retrieve an encrypted token, preferably the SSL session id, although thats availability seems to depend on server configuration.

Checks if client IP address or user agent has changed.

These tests can indicate session hijacking but are by no means definitive; however they do indicate elevated risk and the session should be regenerated as a counter measure.

Checks if a session has expired and sets last seen activity flag.

Authenticate the user and establish a session.

The number of failed login attempts is tracked. Subsequent login attempts will sleep for an equivalent number of seconds before processing, in order to frustrate brute force attacks. A successful login will reset the counter to zero. Note that the password field is unrestricted content.

Hashes and salts a password to harden it against dictionary attacks.

Uses the default password hashing algorithm, which wa bcrypt as of PHP 7.2, with a cost of 11. If logging in is too slow, you could consider reducing this to 10 (the default value). Lowering it further will weaken the security of the hash.

Destroys the current session on logout

Regenerates the session ID.

Called whenever there is a privilege escalation (login) or at random intervals to reduce risk of session hijacking. Note that the cross-site request forgery validation token remains the same, unless the session is destroyed. This is to prevent the random session ID regeneration events creating false positive CSRF checks.

Note that it allows the new and old sessions to co-exist for a short period, this is to avoid headaches with flaky network connections and asynchronous (AJAX) requests, as explained in the PHP Manual warning: http://php.net/manual/en/function.session-regenerate-id.php

Reset session data after a session hijacking check fails. This will force logout.

Initialises a session and sets session cookie parameters to security-conscious values.

Sets a token for use in cross-site request forgery checks on form submissions.

A random token is generated and stored in the current session (if not already set). The value of this token is included as a hidden field in forms when they are loaded by the user. This allows forms to be validated via validateFormToken().

Authenticate the user with two factors and establish a session.

Requires a Yubikey hardware token as the second factor. Note that the authenticator type is not declared, as the desired response is to logout and redirect, rather than to throw an error.