pedroac / nonce
A nonces manager usefull for preventing CSRF and replay attacks.
Requires
- php: >=7.1
- kdyby/datetime-provider: ^1.0.0
- psr/simple-cache: @stable
Requires (Dev)
- codacy/coverage: dev-master
- phpdocumentor/phpdocumentor: @stable
- phpmd/phpmd: @stable
- phpunit/phpunit: ^7.1.1
- squizlabs/php_codesniffer: @stable
- symfony/cache: ^4.0.8
Suggests
- symfony/cache: ^4.0.8
This package is not auto-updated.
Last update: 2025-03-29 08:03:58 UTC
README
A nonce manager PHP library useful for preventing CSRF and replay attacks.
We may find several articles and videos explaining the vulnerabilities that nonces try to prevent:
- YouTube - Jmaxxz - CSRF Explained
- YouTube - Professor Messer - Cross-site Request Forgery
- YouTube - Professor Messer - Replay Attacks
- YouTube - Hak5 - How to Hack Wireless Remotes with Radio Replay Attacks
- Coding Horror - Preventing CSRF and XSRF Attacks
- acunetix - CSRF Attacks, XSRF or Sea-Surf
- SitePoint - How to Prevent Replay Attacks on Your Website
It seems, though, that many PHP nonces libraries are too restrictive, coupled with some framework, hard to use or hard to understand how they work.
pedroac/nonce
tries to solve those issues.
It allows choosing any PSR-16 implementation to store temporarily the nonces, nonces values generators, expiration intervals and even a DateTime
provider to override the clock system (this feature is used for unit tests).
It also provides helpers to manage input, generate random nonces names and values, verify submitted tokens against the nonce and generate HTML elements.
Prerequisites
- PHP 7.1 or later: http://php.net/downloads.php
- Composer: https://getcomposer.org
- At least one PSR-16 implementation. Examples:
Installing
Run the command:
composer require pedroac/nonce
Usage
Examples
- Using Symfony ArrayCache
- CLI test
- HTML form using a session
- HTML form using an auto generated nonce name
- HTML form using a helper
The HTML forms can be tested using a PHP built-in web server.
From the php/examples
folder run the command:
php -S localhost:8000
Use the URL http://localhost:8000/ in a browser.
HTML form with a token
- Create a nonce form helper:
<?php require __DIR__ . '/../vendor/autoload.php'; use Symfony\Component\Cache\Simple\FilesystemCache; use \pedroac\nonce\NoncesManager; use \pedroac\nonce\Form\HtmlNonceField; use \pedroac\nonce\Form\NonceForm; // this handles automatically the input and nonce management $form = new NonceForm( 'token', // the HTML input name new NoncesManager( new FilesystemCache // a \Psr\SimpleCache\CacheInterface implementation ) ); // this will be used to generate a HTML input element $htmlField = new HtmlNonceField($form);
- Check if a valid token was submitted:
if ($form->isSubmittedValid()) { /** * handle the success: * - if all form input is valid, show success page; * - otherwise, show an error page and the form again; */ }
- Check if an invalid token was submitted:
if ($form->isSubmittedInvalid()) { /** * handle failure: * - don't show the form again; * - show an error message; */ }
- Implement the HTML form:
<form method="POST"> <?= $htmlField ?> <!-- more HTML --> <input type="submit" name="myform" value="Submit" /> </form>
The nonce is expired automatically when the token is verified with the NonceForm
class.
General usage
- Instantiate a nonce manager:
<?php require __DIR__ . '/../vendor/autoload.php'; use Symfony\Component\Cache\Simple\FilesystemCache; use \pedroac\nonce\NoncesManager; $manager = new NoncesManager(new FilesystemCache);
- When a request is submitted, validate the submitted token and remove the nonce:
$isValidToken = false; $isValidForm = false; $wasSubmitted = filter_has_var(INPUT_POST, 'myform'); $tokenName = filter_input(INPUT_POST, 'token_name'); $tokenValue = filter_input(INPUT_POST, 'token_value') ?? ''; if ($tokenName) { $isValidToken = $manager->verifyAndExpire($tokenName, $tokenValue); } if ($wasSubmitted && $isValidToken) { // validate input }
- Generate a nonce when appropriate:
if (!$wasSubmitted || (!$isValidForm && $isValidToken)) { $nonce = $manager->create(); }
- Use the nonce name and value to build, for instance, a HTML form:
<?php if ($nonce) : ?> <input type="hidden" name="token_name" value="<?= htmlspecialchars($nonce->getName()) ?>" /> <input type="hidden" name="token_value" value="<?= htmlspecialchars($nonce->getValue()) ?>" /> <input type="submit" name="myform" value="Submit" /> <?php endif; >
Options
Besides the nonces cache storage, it's possible to select the random nonce value generator and the expiration interval:
<?php require __DIR__ . '/../vendor/autoload.php'; use Symfony\Component\Cache\Simple\ArrayCache; use \pedroac\nonce\NoncesManager; use \pedroac\nonce\Random\HexRandomizer; $manager = new NoncesManager( new ArrayCache(60), new HexRandomizer(32), // a \pedroac\nonce\Random implementation new \DateInterval('PT3H') );
It's also possible to create a nonce with a specified name:
$user_id = $_SESSION['user_id']; $tokenName = "{$user_id}_form"; $nonce = $manager->create($tokenName);
NonceForm
default input source is $_POST, but it accepts any array input:
$form = new NonceForm( 'token', new NoncesManager( new FilesystemCache ), filter_input_array(INPUT_GET) // use $_GET );
Running the tests
Run from the library root folder:
php/vendor/bin/phpunit php/tests/ -c php/tests/configuration.xml
If the tests were successful, php/tests/coverage-html
should have the code coverage report.
Generating the HTML documentation
Run from the library root folder:
sh scripts/generate-docs.sh
The generated documentation should be inside the folder docs
.
Versioning
It should be used SemVer for versioning.
Authors
- Pedro Amaral Couto - Initial work - https://github.com/pedroac
License
pedroac/nonce is released under the MIT public license.
See the enclosed LICENSE for details.
Acknowledgments
The library was developed as a private request response made by a Stackoverflow user.