dimns / simplecsrf
Simple CSRF-token class to prevent CSRF attacks. For forms and AJAX requests.
v2.0.0
2016-07-25 06:43 UTC
Requires
- php: >=5.3.0
This package is auto-updated.
Last update: 2024-10-15 03:35:41 UTC
README
Simple CSRF-token class to prevent CSRF attacks
Requirements
- PHP 5.3 or higher is required.
Composer installation
- Get Composer.
- Require SimpleCSRF with
php composer.phar require dimns/simplecsrf
orcomposer require dimns/simplecsrf
(if the composer is installed globally). - Add the following to your application's main PHP file:
require 'vendor/autoload.php';
.
Usage with FORM
php
<?php require 'vendor/autoload.php'; session_start(); // Init class $csrf = new \DimNS\SimpleCSRF(); // Default session name: csrf_token // Init class with other session name $csrf = new \DimNS\SimpleCSRF('my_session_name'); // Getting a token for forms $csrf_token = $csrf->getToken(); // Checking the token if ($csrf->validateToken($_POST['_token'])) { echo 'Token correct'; } else { echo 'Invalid token'; }
html
<form action="index.php" method="post"> <input type="text" name="login"> <input type="password" name="password"> <input type="hidden" name="_token" value="<?=$csrf_token?>"> <input type="submit" value="GO!"> </form>
Usage with AJAX
php
<?php require 'vendor/autoload.php'; session_start(); // Init class $csrf = new \DimNS\SimpleCSRF(); // Default session name: csrf_token // Init class with other session name $csrf = new \DimNS\SimpleCSRF('my_session_name'); // Generate a token for forms $csrf_token = $csrf->getToken(); // Checking the token if ($csrf->validateToken($_SERVER['HTTP_X_CSRFTOKEN'])) { // Token correct } else { // Invalid token }
html
<head> <meta name="_token" content="<?=$csrf_token?>"> </head>
javascript
// jQuery $.ajaxSetup({ beforeSend: function (xhr, settings) { if (!/^(GET|HEAD|OPTIONS|TRACE)$/i.test(settings.type)) { xhr.setRequestHeader("X-CSRFToken", $('meta[name="_token"]').attr('content')); } } });