zoxta / csrf
A quick and easy stateless CSRF protection for forms.
Requires
- lcobucci/jwt: ^3.0
This package is not auto-updated.
Last update: 2024-11-09 19:22:28 UTC
README
Quick CSRF offers stateless CSRF protection for forms that requires almost zero-configuration. It uses the JSON Web Token standard so it does not depend on session/cookies.
Quick CSRF depends on the beautiful lcobucci/jwt JWT implementation.
Installation
Edit your project's composer.json to require zoxta/csrf.
"require": {
"zoxta/csrf": "dev-master"
}
Then run composer update
Usage
Just instantiate the class and you will be ready to go. You will also find an sample usage in the example directory.
<?php use Zoxta\Csrf; # instantiate the class $CsrfToken = new JwtCsrfToken(); # if a form is submitted (using POST) if (! empty($_POST['_token'])) { # check if CSRF is invalid if ($CsrfToken->isInvalid()) { # return an error if CSRF token is invalid/expired echo '<h1>Invalid token, stop.</h1>'; } else { echo '<h1>Valid token, process form.</h1>'; } exit; }
You can also just use the isValid() method immediately without any other requirements.
if ($CsrfToken->isValid()) { # process the form request echo '<h1>Valid token, process form.</h1>'; exit; }
To echo the CSRFT token in your forms, you have two simple ways. You can either echo the token itself:
<input type="hidden" name="_token" value="<?= $CsrfToken ?>">
Or you can echo the whole input field for simplicity using $CsrfToken->field() as the following:
<form action="" method="post"> <!-- form fields --> <?= $CsrfToken->field() ?> <input type="submit" value="Submit Form"> </form>
TODO
- Ability to edit default JWT options.
- Ability to support sending tokens via GET requests or request header.