PHP Classes

Anti-CSRF: Generate tokens to protect against CSRF exploits

Recommend this page to a friend!
     
  Info   Documentation   View files Files   Install with Composer Install with Composer   Download Download   Reputation   Support forum   Blog    
Ratings Unique User Downloads Download Rankings
Not yet rated by the usersTotal: 216 All time: 8,309 This week: 54Up
Version License PHP version Categories
anti-csrf 1.0.0MIT/X Consortium ...5HTML, PHP 5, Security
Description 

Author

Scott Arciszewski

This package can generate tokens to protect against CSRF exploits.

It can generate tokens that can be used in forms so it is possible to verify that the form was submitted by a real user and not a robot script that forged a form submission.

The package can also perform the verification of a token generated by the package and was passed in a form submitted by a real user.

Innovation Award
PHP Programming Innovation award nominee
December 2018
Number 2		 Cross-Site Request Forgery is a kind of security attack that may affect Web sites that processed forms submitted by authenticated users and make them do things against their will.

There are many solutions in PHP that can help avoiding CSRF exploits.

This package can do things that are different from other solutions like restricting the protection to specific site URLs, or users accessing a site from specific IP addresses, and support multiple tokens to handle different forms.

Manuel Lemos
Picture of Scott Arciszewski
  Performance   Level  
Name: Scott Arciszewski <contact>
Classes: 38 packages by
Country: United States United States
Age: ???
All time rank: 1170171 in United States United States
Week rank: 22 Up2 in United States United States Up

Level 1 Star

 Innovation award
Innovation award
Nominee: 29x

Winner: 1x

Documentation

Anti-CSRF Library

Build Status Latest Stable Version Latest Unstable Version License Downloads

Motivation

There aren't any good session-powered CSRF prevention libraries. By good we mean:

  • CSRF tokens can be restricted to any or all of the following: * A particular session * A particular HTTP URI * A particular IP address (optional)
  • Multiple CSRF tokens can be stored
  • CSRF tokens expire after one use
  • An upper limit on the number of tokens stored with session data is enforced * In our implementation, the oldest are removed first

Warning - Do not use in any project where all $_SESSION data is stored client-side in a cookie. This will quickly run up the 4KB storage max for an HTTP cookie.

Using it in Any Project

See autoload.php for an SPL autoloader.

Using it with Twig templates

First, add a filter like this one:

use \ParagonIE\AntiCSRF\AntiCSRF;
$twigEnv->addFunction(
    new \Twig_SimpleFunction(
        'form_token',
        function($lock_to = null) {
            static $csrf;
            if ($csrf === null) {
                $csrf = new AntiCSRF;
            }
            return $csrf->insertToken($lock_to, false);
        },
        ['is_safe' => ['html']]
    )
);

Next, call the newly created form_token function from your templates.

<form action="/addUser.php" method="post">
    {{ form_token("/addUser.php") }}

    {# ... the rest of your form here ... #}
</form>

Validating a Request

    $csrf = new \ParagonIE\AntiCSRF\AntiCSRF;
    if (!empty($_POST)) {
        if ($csrf->validateRequest()) {
            // Valid
        } else {
            // Log a CSRF attack attempt
        }
    }

  Files folder image Files (12)  
File Role Description
Files folder imagesrc (2 files)
Files folder imagetests (1 file)
Accessible without login Plain text file .travis.yml Data Auxiliary data
Accessible without login Plain text file autoload.php Aux. Auxiliary script
Accessible without login Plain text file composer.json Data Auxiliary data
Accessible without login Plain text file LICENSE Lic. License text
Accessible without login Plain text file phpunit.xml.dist Data Auxiliary data
Accessible without login Plain text file psalm.xml Data Auxiliary data
Accessible without login Plain text file README.md Doc. Documentation
Accessible without login Plain text file run-tests.bat Data Auxiliary data
Accessible without login Plain text file run-tests.sh Data Auxiliary data

  Files folder image Files (12)  /  src  
File Role Description
  Accessible without login Plain text file AntiCSRF.php Class Class source
  Accessible without login Plain text file Reusable.php Class Class source

  Files folder image Files (12)  /  tests  
File Role Description
  Accessible without login Plain text file AntiCSRFTest.php Class Class source

The PHP Classes site has supported package installation using the Composer tool since 2013, as you may verify by reading this instructions page.
Install with Composer Install with Composer
Downloadanti-csrf-2018-12-19.zip 21KB
Downloadanti-csrf-2018-12-19.tar.gz 19KB
Install with ComposerInstall with Composer
 Version Control Unique User Downloads Download Rankings  
 100%
Total:216
This week:0
All time:8,309
This week:54Up

  Applications that use this package  
No pages of applications that use this class were specified.

Add link image If you know an application of this package, send a message to the author to add a link here.