AuthFormDataManager
in package
Adapter for managing authentication form field persistence.
Abstracts $_SESSION access for auth form data (username, email, redirect), enabling testability and session backend changes.
Tags
Table of Contents
Constants
- KEY_PASSWORD_PREFIX = 'password_'
- Session key for password form data.
- KEY_PREFIX = 'auth_'
- Session key prefix for auth data.
Methods
- clearAll() : void
- Clear all auth form data (username, email, redirect).
- clearEmail() : void
- Clear the stored email.
- clearPasswordEmail() : void
- Clear the password form email.
- clearRedirectUrl() : void
- Clear the stored redirect URL.
- clearUsername() : void
- Clear the stored username.
- getAndClearEmail() : string
- Get and clear the stored email.
- getAndClearPasswordEmail() : string
- Get and clear the password form email.
- getAndClearRedirectUrl() : string
- Get and clear the stored redirect URL.
- getAndClearUsername() : string
- Get and clear the stored username.
- getEmail() : string
- Get the stored email for form repopulation.
- getPasswordEmail() : string
- Get the stored password form email.
- getRedirectUrl() : string
- Get the stored redirect URL.
- getUsername() : string
- Get the stored username for form repopulation.
- setEmail() : void
- Set the email for form repopulation.
- setPasswordEmail() : void
- Set the password form email.
- setRedirectUrl() : void
- Set the redirect URL for post-login navigation.
- setUsername() : void
- Set the username for form repopulation.
- ensureSession() : void
- Ensure session is started.
- isSafeRelativeUrl() : bool
- A stored redirect target is safe iff it's a same-origin path.
Constants
KEY_PASSWORD_PREFIX
Session key for password form data.
private
mixed
KEY_PASSWORD_PREFIX
= 'password_'
KEY_PREFIX
Session key prefix for auth data.
private
mixed
KEY_PREFIX
= 'auth_'
Methods
clearAll()
Clear all auth form data (username, email, redirect).
public
clearAll() : void
clearEmail()
Clear the stored email.
public
clearEmail() : void
clearPasswordEmail()
Clear the password form email.
public
clearPasswordEmail() : void
clearRedirectUrl()
Clear the stored redirect URL.
public
clearRedirectUrl() : void
clearUsername()
Clear the stored username.
public
clearUsername() : void
getAndClearEmail()
Get and clear the stored email.
public
getAndClearEmail() : string
Return values
stringgetAndClearPasswordEmail()
Get and clear the password form email.
public
getAndClearPasswordEmail() : string
Return values
stringgetAndClearRedirectUrl()
Get and clear the stored redirect URL.
public
getAndClearRedirectUrl([string $default = '/' ]) : string
Parameters
- $default : string = '/'
-
Default URL if not set
Return values
stringgetAndClearUsername()
Get and clear the stored username.
public
getAndClearUsername() : string
Return values
stringgetEmail()
Get the stored email for form repopulation.
public
getEmail() : string
Return values
stringgetPasswordEmail()
Get the stored password form email.
public
getPasswordEmail() : string
Return values
stringgetRedirectUrl()
Get the stored redirect URL.
public
getRedirectUrl([string $default = '/' ]) : string
Parameters
- $default : string = '/'
-
Default URL if not set
Return values
stringgetUsername()
Get the stored username for form repopulation.
public
getUsername() : string
Return values
stringsetEmail()
Set the email for form repopulation.
public
setEmail(string $email) : void
Parameters
- $email : string
-
Email
setPasswordEmail()
Set the password form email.
public
setPasswordEmail(string $email) : void
Parameters
- $email : string
-
Email
setRedirectUrl()
Set the redirect URL for post-login navigation.
public
setRedirectUrl(string $url) : void
Parameters
- $url : string
-
Redirect URL
setUsername()
Set the username for form repopulation.
public
setUsername(string $username) : void
Parameters
- $username : string
-
Username
ensureSession()
Ensure session is started.
private
ensureSession() : void
isSafeRelativeUrl()
A stored redirect target is safe iff it's a same-origin path.
private
static isSafeRelativeUrl(string $url) : bool
AuthMiddleware stores raw $_SERVER['REQUEST_URI'] when redirecting
unauthenticated users to /login. An attacker who tricks a victim
into visiting https://lwt.example.com//evil.com/phish gets
REQUEST_URI = //evil.com/phish stored verbatim; if the post-login
redirect followed it, the browser would interpret the leading //
as protocol-relative and navigate to evil.com. Reject anything that
doesn't start with a single / followed by something other than
/ or \ (some browsers treat \ like / in URL paths).
Parameters
- $url : string