PHP Classes
elePHPant
Icontem

Anti-CSRF: Generate tokens to protect against CSRF exploits

Recommend this page to a friend!

  Author Author  
Name: Scott Arciszewski <contact>
Classes: 11 packages by
Country: United States United States
Innovation award
Innovation award
Nominee: 8x

Winner: 1x


  Detailed description   Download Download .zip .tar.gz  
This package can generate tokens to protect against CSRF exploits.

It can generate tokens that can be used in forms so it is possible to verify that the form was submitted by a real user and not a robot script that forged a form submission.

The package can also perform the verification of a token generated by the package and was passed in a form submitted by a real user.

Details

Anti-CSRF Library

Build Status Latest Stable Version Latest Unstable Version License Downloads

Motivation

There aren't any good session-powered CSRF prevention libraries. By good we mean:

  • CSRF tokens can be restricted to any or all of the following: * A particular session * A particular HTTP URI * A particular IP address (optional)
  • Multiple CSRF tokens can be stored
  • CSRF tokens expire after one use
  • An upper limit on the number of tokens stored with session data is enforced * In our implementation, the oldest are removed first

Warning - Do not use in any project where all $_SESSION data is stored client-side in a cookie. This will quickly run up the 4KB storage max for an HTTP cookie.

Using it in Any Project

See autoload.php for an SPL autoloader.

Using it with Twig templates

First, add a filter like this one:

use \ParagonIE\AntiCSRF\AntiCSRF;
$twigEnv->addFunction(
    new \Twig_SimpleFunction(
        'form_token',
        function($lock_to = null) {
            static $csrf;
            if ($csrf === null) {
                $csrf = new AntiCSRF;
            }
            return $csrf->insertToken($lock_to, false);
        },
        ['is_safe' => ['html']]
    )
);

Next, call the newly created form_token function from your templates.

<form action="/addUser.php" method="post">
    {{ form_token("/addUser.php") }}

    {# ... the rest of your form here ... #}
</form>

Validating a Request

    $csrf = new \ParagonIE\AntiCSRF\AntiCSRF;
    if (!empty($_POST)) {
        if ($csrf->validateRequest()) {
            // Valid
        } else {
            // Log a CSRF attack attempt
        }
    }

  Classes of Scott Arciszewski  >  Anti-CSRF  >  Download Download .zip .tar.gz  >  Support forum Support forum  >  Blog Blog  >  RSS 1.0 feed RSS 2.0 feed Latest changes  
Name: Anti-CSRF
Base name: anti-csrf
Description: Generate tokens to protect against CSRF exploits
Version: -
PHP version: 5
License: MIT/X Consortium License
 
  Groups   Applications   Files Files  

  Groups  
Group folder image HTML HTML generation and processing View top rated classes
Group folder image PHP 5 Classes using PHP 5 specific features View top rated classes
Group folder image Security Security protection and attack detection View top rated classes


  Applications that use this package  
No pages of applications that use this class were specified.

Add link image If you know an application of this package, send a message to the author to add a link here.

  Files folder image Files  
File Role Description
Files folder imagesrc (2 files)
Files folder imagetests (1 file)
Accessible without login Plain text file .travis.yml Data Auxiliary data
Accessible without login Plain text file autoload.php Aux. Auxiliary script
Accessible without login Plain text file composer.json Data Auxiliary data
Accessible without login Plain text file LICENSE Lic. License text
Accessible without login Plain text file phpunit.xml.dist Data Auxiliary data
Accessible without login Plain text file psalm.xml Data Auxiliary data
Accessible without login Plain text file README.md Doc. Documentation
Accessible without login Plain text file run-tests.bat Data Auxiliary data
Accessible without login Plain text file run-tests.sh Data Auxiliary data

  Files folder image Files  /  src  
File Role Description
  Accessible without login Plain text file AntiCSRF.php Class Class source
  Accessible without login Plain text file Reusable.php Class Class source

  Files folder image Files  /  tests  
File Role Description
  Accessible without login Plain text file AntiCSRFTest.php Class Class source

Download Download all files: anti-csrf.tar.gz anti-csrf.zip
NOTICE: if you are using a download manager program like 'GetRight', please Login before trying to download this archive.