zoxta/csrf

A quick and easy stateless CSRF protection for forms.

0.1.2 2015-09-27 01:51 UTC

This package is not auto-updated.

Last update: 2024-03-16 15:19:19 UTC


README

Latest Stable Version Total Downloads Latest Unstable Version License

Quick CSRF offers stateless CSRF protection for forms that requires almost zero-configuration. It uses the JSON Web Token standard so it does not depend on session/cookies.

Quick CSRF depends on the beautiful lcobucci/jwt JWT implementation.

Installation

Edit your project's composer.json to require zoxta/csrf.

"require": {
    "zoxta/csrf": "dev-master"
}

Then run composer update

Usage

Just instantiate the class and you will be ready to go. You will also find an sample usage in the example directory.

<?php

use Zoxta\Csrf;

# instantiate the class
$CsrfToken = new JwtCsrfToken();

# if a form is submitted (using POST)
if (! empty($_POST['_token'])) {

    # check if CSRF is invalid
    if ($CsrfToken->isInvalid()) {

        # return an error if CSRF token is invalid/expired
        echo '<h1>Invalid token, stop.</h1>';

    } else {

        echo '<h1>Valid token, process form.</h1>';

    }

    exit;
}

You can also just use the isValid() method immediately without any other requirements.

if ($CsrfToken->isValid()) {

    # process the form request
    echo '<h1>Valid token, process form.</h1>';
    exit;

}

To echo the CSRFT token in your forms, you have two simple ways. You can either echo the token itself:

<input type="hidden" name="_token" value="<?= $CsrfToken ?>">

Or you can echo the whole input field for simplicity using $CsrfToken->field() as the following:

<form action="" method="post">

    <!-- form fields -->

    <?= $CsrfToken->field() ?>

    <input type="submit" value="Submit Form">
</form>

TODO

  • Ability to edit default JWT options.
  • Ability to support sending tokens via GET requests or request header.