pkj/minibase-plugin-csrfprotection

Plugin that enabled CSRF Protection by default for Minibase framework apps.

Maintainers

Details

github.com/peec/minibase-plugin-csrfprotection

Homepage

Source

Issues

Installs: 24

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 2

Forks: 0

Open Issues: 0

dev-master 2013-04-26 01:28 UTC

Requires

MIT 54776999177678fc45a3c0e333093611767fe791

This package is auto-updated.

Last update: 2024-04-29 03:07:03 UTC

README

Build Status

CSRF Protection Plugin

CSRF Protection plugin for Minibase applications.

Handle evil CSRF attacks for all your routes except GET.

Install

{
  "require":{
	     "pkj/minibase-plugin-csrfprotection": "dev-master"
	}
}

Usage

Add the plugin to your app.

$mb->initPlugins(array('Pkj\Minibase\Plugin\Csrf\CsrfPlugin' => null));

Echo $csrfTokenInput in the forms that does post requests. Note, also $csrfToken is available, it contains only the token.

<form>
  <?php echo $csrfTokenInput ?>
</form>

You are now safe for CSRF protection.

Configuration array:

  • store: cookie or session. Note SESSION must be started if session is used. I recommend using cookie.
  • token_name: the name of the token. Default is "csrfToken".

Events

You may customize the error exception if a token is invalid by adding event handler.

$mb->events->on("csrf:invalid", function ($request) {
	return function () {
		return $this->respond("html")->view("csrfinvalid.html.php");
	};
});

Annotations

First, use the class . use Pkj\Minibase\Plugin\Csrf\Annotation\IgnoreCsrfProtection.

@IgnoreCsrfProtection

Can be applied to controllers or a controller method. Useful for RESTful API's. (JSON API). In such where we do not need to check for CSRF protection.