shadowprince/forman-csrf

CSRF protection plugin for shadowprince/forman

0.1 2013-10-24 18:30 UTC

README

Forman-Recaptcha - plugin for forman, adding automatic CSRF-protection for all forms. Plugin works at background, no code needed.

Mechanism

  • Generates and stores token at every form process
  • Compares token from form data and user cookies, if cookie not exist or not matches - field error will be added and verify (so process too) fails
  • Removes csrf_token from process result, so you'll not even notice

You can turn it off for one form

\Forman\CSRFPlugin::disable();
if ($data = $form->process($_POST)) {
    // now there is no CSRF
}
\Forman\CSRFPlugin::enable();

Or global

// somewhere in bootstrap
\Forman\CSRFPlugin::disableGlobal(); // so any enable() will not work now