kylekatarnls/csrfprotect

CSRF Protection

0.1.2 2019-01-16 16:37 UTC

README

Latest Stable Version Build Status StyleCI

PHP extencion to handle easily a really reliable CSRF protection

Basic usage: Form protection

<?php

use \CsrfProtect\CsrfProtect as Csrf;

session_start();

if (isset($_POST['message'])) {
    if (Csrf::checkToken()) {
        echo 'Thanks for your message!';
    } else {
        echo 'Sorry, your session expired.';
    }
}

?>
<form method="post" action="">
    <textarea name="message"></textarea>
    <input type="submit">
    <?php echo Csrf::getTag(); ?>
</form>

Authentificated user

<?php

use \CsrfProtect\CsrfProtect as Csrf;

session_start();

if (isset($_POST['message'])) {
    if (Csrf::checkPostToken($_SESSION['user_id'])) {
        echo 'Thanks for your message!';
    } else {
        echo 'Sorry, your session expired or you have log out.';
    }
}

?>
<form method="post" action="">
    <textarea name="message"></textarea>
    <input type="submit">
    <?php echo Csrf::getTag($_SESSION['user_id']); ?>
</form>

Protect a link

<?php

use \CsrfProtect\CsrfProtect as Csrf;

session_start();

if (isset($_POST['message'])) {
    if (Csrf::checkToken($_GET['_csrf'])) {
        echo 'Thanks for clicking!';
    } else {
        echo 'Sorry, your session expired.';
    }
}

?>
<a href="?_csrf=<?php echo Csrf::getToken(); ?>">Click here!</a>

Protect a link with an authentificated user

<?php

use \CsrfProtect\CsrfProtect as Csrf;

if (isset($_POST['message'])) {
    if (Csrf::checkToken($_GET['_csrf'], $_SESSION['user_id'])) {
        echo 'Thanks for clicking!';
    } else {
        echo 'Sorry, your session expired.';
    }
}

?>
<a href="?_csrf=<?php echo Csrf::getToken($_SESSION['user_id']); ?>">Click here!</a>

Configure CsrfProtect as you need

<?php

class ShortCsrf extends \CsrfProtect\CsrfProtect
{
    const TOKEN_LENGTH = 6;
}

class LongCsrf extends \CsrfProtect\CsrfProtect
{
    const TOKEN_LENGTH = 64;
}

echo ShortCsrf::getTag(); // Display an hidden input tag with a 6 chars token
echo LongCsrf::getTag(); // Display an hidden input tag with a 64 chars token

?>

Here are all the available settings and their default values:

<?php

class Csrf extends \CsrfProtect\CsrfProtect
{
    const POST_KEY = "_csrf";
    const SESSION_PREFIX = "_csrf_";
    const TOKEN_LENGTH = 32;
    const TOKEN_CHARS = "azertyuiopqsdfghjklmwxcvbnAZERTYUIOPQSDFGHJKLMWXCVBN1234567890_-";
    const TOKENS_LIMIT = 5000;
}

?>

Extends CsrfProtect

Example: display the input tage in a XHTML way: <input />

<?php

class Csrf extends \CsrfProtect\CsrfProtect
{
    public static function getTag($identifier = "")
    {
        return str_replace('>', ' />', parent::getTag($identifier));
    }
}

?>

The functionnal way

<?php

session_start();

if (isset($_POST['message'])) {
    if (\CsrfProtect\checkToken()) {
        echo 'Thanks for your message!';
    } else {
        echo 'Sorry, your session expired.';
    }
}

?>
<form method="post" action="">
    <textarea name="message"></textarea>
    <input type="submit">
    <?php echo \CsrfProtect\getTag(); ?>
</form>

All the public CsrfProtect methods are also available as functions.

Installation

You can install CsrfProtect anywhere Zephir can be installed.

Here is an example with Debian/Ubuntu (we suppose you have PHP installed):

sudo apt-get update
sudo apt-get install git gcc make re2c php5 php5-json php5-dev libpcre3-dev
git clone https://github.com/phalcon/zephir
cd zephir
./install-json
./install -c
cd ..

(Optionnal) Then you can remove Zephir sources:

rm -r zephir

Then check zephir is well installed:

zephir help

If it's not, please see: http://docs.zephir-lang.com/en/latest/install.html

Now you can download and build CsrfProtect

git clone https://github.com/kylekatarnls/csrfprotect
zephir build

(Optionnal) Then you can remove CsrfProtect sources:

rm -r csrfprotect

Then add extension=csrfprotect.so to your PHP configuration.

# Suse: Add a file called csrfprotect.ini in /etc/php5/conf.d/ with this content:
extension=csrfprotect.so

# CentOS/RedHat/Fedora: Add a file called csrfprotect.ini in /etc/php.d/ with this content:
extension=csrfprotect.so

# Ubuntu/Debian with apache2: Add a file called 30-csrfprotect.ini in /etc/php5/apache2/conf.d/ with this content:
extension=csrfprotect.so

# Ubuntu/Debian with php5-fpm: Add a file called 30-csrfprotect.ini in /etc/php5/fpm/conf.d/ with this content:
extension=csrfprotect.so

# Ubuntu/Debian with php5-cli: Add a file called 30-csrfprotect.ini in /etc/php5/cli/conf.d/ with this content:
extension=csrfprotect.so