PHP Classes

Anti-CSRF: Generate tokens to protect against CSRF exploits

Recommend this page to a friend!
  Info   View files Documentation   View files View files (12)   DownloadInstall with Composer Download .zip   Reputation   Support forum   Blog    
Ratings Unique User Downloads Download Rankings
Not yet rated by the usersTotal: 214 This week: 2All time: 8,319 This week: 96Up
Version License PHP version Categories
anti-csrf 1.0.0MIT/X Consortium ...5HTML, PHP 5, Security
Description 

Author

This package can generate tokens to protect against CSRF exploits.

It can generate tokens that can be used in forms so it is possible to verify that the form was submitted by a real user and not a robot script that forged a form submission.

The package can also perform the verification of a token generated by the package and was passed in a form submitted by a real user.

Innovation Award
PHP Programming Innovation award nominee
December 2018
Number 2
Cross-Site Request Forgery is a kind of security attack that may affect Web sites that processed forms submitted by authenticated users and make them do things against their will.

There are many solutions in PHP that can help avoiding CSRF exploits.

This package can do things that are different from other solutions like restricting the protection to specific site URLs, or users accessing a site from specific IP addresses, and support multiple tokens to handle different forms.

Manuel Lemos
Picture of Scott Arciszewski
  Performance   Level  
Name: Scott Arciszewski <contact>
Classes: 36 packages by
Country: United States United States
Age: ???
All time rank: 1180171 in United States United States
Week rank: 52 Up6 in United States United States Up
Innovation award
Innovation award
Nominee: 28x

Winner: 1x

Documentation

Anti-CSRF Library

Build Status Latest Stable Version Latest Unstable Version License Downloads

Motivation

There aren't any good session-powered CSRF prevention libraries. By good we mean:

  • CSRF tokens can be restricted to any or all of the following: * A particular session * A particular HTTP URI * A particular IP address (optional)
  • Multiple CSRF tokens can be stored
  • CSRF tokens expire after one use
  • An upper limit on the number of tokens stored with session data is enforced * In our implementation, the oldest are removed first

Warning - Do not use in any project where all $_SESSION data is stored client-side in a cookie. This will quickly run up the 4KB storage max for an HTTP cookie.

Using it in Any Project

See autoload.php for an SPL autoloader.

Using it with Twig templates

First, add a filter like this one:

use \ParagonIE\AntiCSRF\AntiCSRF;
$twigEnv->addFunction(
    new \Twig_SimpleFunction(
        'form_token',
        function($lock_to = null) {
            static $csrf;
            if ($csrf === null) {
                $csrf = new AntiCSRF;
            }
            return $csrf->insertToken($lock_to, false);
        },
        ['is_safe' => ['html']]
    )
);

Next, call the newly created form_token function from your templates.

<form action="/addUser.php" method="post">
    {{ form_token("/addUser.php") }}

    {# ... the rest of your form here ... #}
</form>

Validating a Request

    $csrf = new \ParagonIE\AntiCSRF\AntiCSRF;
    if (!empty($_POST)) {
        if ($csrf->validateRequest()) {
            // Valid
        } else {
            // Log a CSRF attack attempt
        }
    }

  Files folder image Files  
File Role Description
Files folder imagesrc (2 files)
Files folder imagetests (1 file)
Accessible without login Plain text file .travis.yml Data Auxiliary data
Accessible without login Plain text file autoload.php Aux. Auxiliary script
Accessible without login Plain text file composer.json Data Auxiliary data
Accessible without login Plain text file LICENSE Lic. License text
Accessible without login Plain text file phpunit.xml.dist Data Auxiliary data
Accessible without login Plain text file psalm.xml Data Auxiliary data
Accessible without login Plain text file README.md Doc. Documentation
Accessible without login Plain text file run-tests.bat Data Auxiliary data
Accessible without login Plain text file run-tests.sh Data Auxiliary data

  Files folder image Files  /  src  
File Role Description
  Accessible without login Plain text file AntiCSRF.php Class Class source
  Accessible without login Plain text file Reusable.php Class Class source

  Files folder image Files  /  tests  
File Role Description
  Accessible without login Plain text file AntiCSRFTest.php Class Class source

 Version Control Unique User Downloads Download Rankings  
 100%
Total:214
This week:2
All time:8,319
This week:96Up