schnittstabil/csrf-tokenservice

Stateless CSRF (Cross-Site Request Forgery) token service.

Maintainers

Details

github.com/schnittstabil/csrf-tokenservice

Homepage

Source

Issues

Installs: 152 273

Dependents: 2

Suggesters: 0

Security: 0

Stars: 15

Watchers: 2

Forks: 2

Open Issues: 0

3.1.0 2017-09-05 18:57 UTC

Requires

Requires (Dev)

MIT fab561595697c44d31dc12aebd6b7f9b93e8a7ff

  • Michael Mayer <michael.woop@schnittstabil.de>

generatorvalidatorservicetokencsrfhmacstatelessxsrfcross-site request forgerysession ridingURL-safe

This package is auto-updated.

Last update: 2024-03-26 00:54:01 UTC

README

SensioLabsInsight

Stateless CSRF (Cross-Site Request Forgery) token service 🍖

Install

$ composer require schnittstabil/csrf-tokenservice

Usage

<?php
require __DIR__.'/vendor/autoload.php';

use Schnittstabil\Csrf\TokenService\TokenService;

// Shared secret key used for generating and validating token signatures:
$key = 'This key is not so secret - change it!';

// Time to Live in seconds; default is 1440 seconds === 24 minutes:
$ttl = 1440;

// create the TokenService
$tokenService = new TokenService($key, $ttl);

// generate a URL-safe token, using the name of the authenticated user as nonce:
$token = $tokenService->generate($_SERVER['PHP_AUTH_USER']);

// validate the token - stateless; no session needed
if (!$tokenService->validate($_SERVER['PHP_AUTH_USER'], $token)) {
    http_response_code(403);
    echo '<h2>403 Access Forbidden, bad CSRF token</h2>';
    exit();
}

Related

License

MIT © Michael Mayer