rhubarbphp / module-csrfprotection
A means to provide token based CSRF protection
Installs: 54 300
Dependents: 1
Suggesters: 0
Security: 0
Stars: 0
Watchers: 5
Forks: 0
Open Issues: 0
Requires
- rhubarbphp/rhubarb: ^1.5.6
Requires (Dev)
- codeception/codeception: ^2.0.0
- codeception/specify: ^0.4.6
- codeception/verify: ^0.4.0
This package is auto-updated.
Last update: 2024-05-04 17:11:47 UTC
README
Provides a mechanism for CSRF protection
Usage
Simply require the module using composer:
composer require rhubarbphp/module-csrfprotection
There are two types of validation provided
Header validation
Simply call the validateHeaders method of the library to compare Origin and Referrer headers with the active request.
CsrfProtection::singleton()->validateHeaders($request);
$request should be the active WebRequest object. If you don't have a reference to it you can get it using
$request = Request::current();
This validation should be done for every POST request. It can also be done for GET requests, however it isn't recommended as it will fail on the first request a client makes to the site.
Cookie validation
This approach should be used in conjunction with header validation and compares a posted value against a previously generated random token stored in a cookie on the client.
When you output a form tag include the CSRF cookie token:
$csrfProtector = CsrfProtection::singleton();
print '<input type="hidden" name="' . CsrfProtection::TOKEN_COOKIE_NAME . '" value="' . htmlentities($csrfProtector->getCookie()) . '" />';
When handling the post back, validate headers and the cookie:
if ($request->server('REQUEST_METHOD') == 'POST'){ CsrfProtection::singleton()->validateHeaders($request); CsrfProtection::singleton()->validateCookie($request); }
Handling failures
If validation fails a CsrfViolationException is thrown which should be caught and handled appropriately.