Anti-CSRF: Generate tokens to protect against CSRF exploits
ReTweet Author |
 |
|
Innovation award Nominee: 8x Winner: 1x | ||||||||||
This package can generate tokens to protect against CSRF exploits.
It can generate tokens that can be used in forms so it is possible to verify that the form was submitted by a real user and not a robot script that forged a form submission.
The package can also perform the verification of a token generated by the package and was passed in a form submitted by a real user.
It can generate tokens that can be used in forms so it is possible to verify that the form was submitted by a real user and not a robot script that forged a form submission.
The package can also perform the verification of a token generated by the package and was passed in a form submitted by a real user.
Details
Anti-CSRF Library
Motivation
There aren't any good session-powered CSRF prevention libraries. By good we mean:
- CSRF tokens can be restricted to any or all of the following: * A particular session * A particular HTTP URI * A particular IP address (optional)
- Multiple CSRF tokens can be stored
- CSRF tokens expire after one use
- An upper limit on the number of tokens stored with session data is enforced * In our implementation, the oldest are removed first
Warning - Do not use in any project where all $_SESSION data is stored
client-side in a cookie. This will quickly run up the 4KB storage max for
an HTTP cookie.
Using it in Any Project
See autoload.php for an SPL autoloader.
Using it with Twig templates
First, add a filter like this one:
use \ParagonIE\AntiCSRF\AntiCSRF;
$twigEnv->addFunction(
new \Twig_SimpleFunction(
'form_token',
function($lock_to = null) {
static $csrf;
if ($csrf === null) {
$csrf = new AntiCSRF;
}
return $csrf->insertToken($lock_to, false);
},
['is_safe' => ['html']]
)
);
Next, call the newly created form_token function from your templates.
<form action="/addUser.php" method="post">
{{ form_token("/addUser.php") }}
{# ... the rest of your form here ... #}
</form>
Validating a Request
$csrf = new \ParagonIE\AntiCSRF\AntiCSRF;
if (!empty($_POST)) {
if ($csrf->validateRequest()) {
// Valid
} else {
// Log a CSRF attack attempt
}
}
| Classes of Scott Arciszewski | > | Anti-CSRF | > |  Download .zip .tar.gz |
> |  Support forum |
> |  Blog |
> |   Latest changes |
|
|
|
||||||||||||||
| Groups | Applications |  Files |
| Groups |
 HTML |
HTML generation and processing | View top rated classes |
| PHP 5 |
Classes using PHP 5 specific features | View top rated classes |
| Security |
Security protection and attack detection | View top rated classes |
| Applications that use this package |
No pages of applications that use this class were specified.
If you know an application of this package, send a message to the author to add a link here.
| Files |
| File | Role | Description | ||
|---|---|---|---|---|
| src (2 files) |
||||
| tests (1 file) |
||||
 .travis.yml |
Data | Auxiliary data | ||
| autoload.php |
Aux. | Auxiliary script | ||
| composer.json |
Data | Auxiliary data | ||
| LICENSE |
Lic. | License text | ||
| phpunit.xml.dist |
Data | Auxiliary data | ||
| psalm.xml |
Data | Auxiliary data | ||
| README.md |
Doc. | Documentation | ||
| run-tests.bat |
Data | Auxiliary data | ||
| run-tests.sh |
Data | Auxiliary data | ||
| Download all files: anti-csrf.tar.gz anti-csrf.zip NOTICE: if you are using a download manager program like 'GetRight', please Login before trying to download this archive.
|
For more information send a message to
info at phpclasses dot org.Copyright (c) Icontem 1999-2018