Datetime object for use with token

Hello and i hope that everyone is having a pleasant day,

I don’t know how to use Datetime to record a current time plus an expiration time for use with a CSRF token.

i don’t want to burden the forum with such a silly problem. I am new to PHP and i have no experience with certain things such as Datetime. I’ve never created a public website. I only ever made html or php pages for my own usage on my pc. Organizing photos, music (play mp3 via activex) etc.

I’ve tried $ndt = new DateTime(); and i cannot echo a the code because it has no value. Now i understand that this is an object and it is not a string that can be echoed. I see that people manually add a date time, as $ndt = new DateTime("2019-25-03 12:00:00"); but i cannot see how to add the current time dynamically. I wonder if i should even be using Datetime for this but i think that date interval would be easier to calculate an expiration time than to create an interval manually. Yet i don’t understand how to do this with Datetime();

I created CSRF tokens for use with forms but now i realize that these tokens are useless without an expiration date. So i’m trying to make a token as follows:
time() + time-to-live + random token.

maybe someone can offer some guidance as to using a datetime object to accomplish this task. I have tried a few methods but always get an error, especially when trying to echo a value, add to the date 15 minutes and even an error trying to echo an interval. Apparently, i don’t understand the Datetime object.

Please refer to the manual
https://www.php.net/manual/en/class.datetime.php
https://www.php.net/manual/en/datetime.add.php

$ndt = new DateTime();
echo $ndt->format('Y-m-d H:i'); // 2019-03-25 08:51
$ndt->add(new DateInterval('PT15M'));
echo $ndt->format('Y-m-d H:i'); // 2019-03-25 09:06
1 Like

Hello and Thank you, Jim.

For some reason, i assumed that this was formatting a datetime that already existed. I should’ve read the manual more carefully. I have no idea what made me think that it was like Date_format from sql. I think that i will call it a day with programming. My mind is not able to grasp anything today.

Anyway, ran the code in xampp just now and allready modified it. Now it is time to relax for the day.

If you want a more human readable form of adding a date for a first start you can also use the modify() method on every DateTime instance like

(new DateTime)->modify('+15 minutes')->Format(...)
1 Like

so this what i have for a time-to-live component of a token. I still have to add my token generation code to the function. I also have to explode/split the variable for ttl determination and token comparison with the value of a session variable.

function createTokenTTL() {
    $ndt = new DateTime();
    $tokenBirth = $ndt->format('Y-m-d H:i:s');
    $ndt->add(new DateInterval('PT15M'));
    $tokenDeath = $ndt->format('Y-m-d H:i:s');
    $certificate = $tokenBirth . "-" . $tokenDeath;
  return $certificate;
}

I need to store the value of the new Datetime before i alter it with a 15M interval. I also need to store the value of the interval, thus i used variables. Is this correct? it works but we all know the addage about this type of code…

edit: I also wanted to extend my gratitude to Jim and Christian for helping me with this topic. My mind is cloudy today.

I would store the format and interval within a constant or configuration.

Hello and i hope that everyone is having a pleasant day,

I played with Datetime a bit before going to bed and i must admit that i didn’t understand this object. I am used to programming something not having something sitting there waiting to be utilized. I didn’t know that Datetime allready has the current date and time. I thought that i had to define a current date and time before i could use it. Anyway, now i see that even a variable would work to hold this data. I’ve defined a constant for the interval as such:

define('tokenLifeSpan', (new DateTime)->modify('+15 minutes')->Format('Y-m-d H:i:s'));

Now i have pseudocode for this process because i also notice that i am creating a static value, which needs to be compared with a current datetime in order to be valid.

CSRF Token pseudo code:
split sessiontoken into datetime, expired datetime and token //less is better
split posttoken into datetime, expired datetime and token
if date of posttoken and date of sessiontoken are equivalent
if date of posttoken and date of sessiontoken is not current date = expired
if diff time of posttoken, time of sessiontoken >= 15m  expired
if hash_equals(sessiontoken, posttoken))

am i missing anything? should i use difference of dates to compare with current date?

so my problem and solution is as follows: create a csrf token and assign the token a birthdate and deathdate and store this also into a session variable for comparison.

I do not know what is the best method for this, but here is what i have so far:

define('cTokenBirth', (new DateTime)->format('Y-m-d H:i:s'));
define('cTokenDeath', (new DateTime)->modify('+15 minutes')->Format('Y-m-d H:i:s'));
$tokenTest = cTokenBirth . "[.]" . cTokenDeath . "[.]" . $CSRFtoken;

list($birthDate, $deathDate, $token) = explode('[.]', $tokenTest, 3);

i figure it is easier to store the values into related variables, hence, the implementation of a list. Is this good or bad?

Hello, so after reading many documents about CSRF tokens and security, I’ve decided to stick with a less complex method of TTL: time() + TTL + token

Which makes it very easy to maintain a lifespan: current time - tokentime > TTL = expired

at leat i have a better understanding of Datetime objects from all of this. I’ve learned alot about both Datetime and time(). I’ve never used either until now. I know that the token gets away from the Datetime object topic, so i apologize for not following the community guidelines. I’ve strayed away from the subject. I’m just letting everyone know that this issue is resolved.

Sponsor our Newsletter | Privacy Policy | Terms of Service