internetpixels / csrf-protection
Protect your web app from malicious requests by using CSRF protection tokens in links and forms
Installs: 2 079
Dependents: 0
Suggesters: 0
Security: 0
Stars: 3
Watchers: 2
Forks: 0
Open Issues: 0
Requires
- php: >=7.4
Requires (Dev)
- phpunit/phpunit: ^9.0
- squizlabs/php_codesniffer: 3.*
This package is auto-updated.
Last update: 2025-02-16 17:57:18 UTC
README
Protect your web app from malicious requests by using CSRF protection tokens in links and forms. This CSRF protection library does not use sessions, files, memory storage or databases.
Basic examples
In the examples below you'll find the 3 most important methods:
TokenManager::create();TokenManager::createHtmlField();TokenManager::validate();
The full namespace is InternetPixels\CSRFProtection\TokenManager.
Setup the TokenManager
You have to set some settings for a secure TokenManager. Please overwrite the salt by your own one.
<?php TokenManager::setSalt('P*17OJznMttaR#Zzwi4YhAY!H7hPGUCd', 'ERGirehgr4893ur43tjrg98rut98ueowifj'); TokenManager::setUserId(7); TokenManager::setSessionToken('session_token');
Create a safe form
The TokenManager can improve the security
<form action="/your/page" method="post">
<?= TokenManager::createHtmlField('my_form') ?>
</form>
Create a safe link
When a user wants to delete an item in your application, you want to be sure that the request is valid. Create a token and add it in the link to your delete page.
<a href="/posts/delete/1?token=<?= TokenManager::create('delete_post') ?>">Delete Post</a>
In the delete action you want to validate the token with the TokenManager::validate() method.
Validate the user input
Once a user is posting the form data to your server(s), you'll first need to validate the given token. By default, the field name used is _token.
<?php if( filter_has_var(INPUT_POST, '_token') ) { if( TokenManager::validate('my_form', filter_input(INPUT_POST, '_token')) ) { // valid token } else { // invalid token } }