This repository has been archived by the owner. It is now read-only.
THIS MODULE IS DEPRECATED! Please use Kohana Security class instead. Thanks!
Switch branches/tags
Nothing to show
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
classes
README.markdown

README.markdown

What is CSRF?

A CSRF (cross-site request forgery) is a malicious attack which forces an end user to execute unwanted actions on a web application in which the user is currently authenticated.

Visit the OWASP website for more information.

How does it work?

When a form is requested this module generates a random token and stores both the time it was generated and the token itself in the users session. Then, the current time is appended to the token and it is inserted into the form. When the form is submitted this module checks the token's validity by first calculating the time between the forms rendering and submission. If the difference is 0 or longer than 30 seconds it is assumed the form was submitted by a bot and validation fails. If the first test passes then this module checks if the token matches a token currently stored in the users session, if it does then validation is successful and the form is submitted.

Won't this break tabbing and forward/back buttons?

To cope with these issues, this module stores up to 5 tokens in the session at a time. Each token will expire after 5 minutes.

Example Usage

First add the modules files to your modules directory and add it to your bootstrap.

Add token to your form

You have the option of using either the Form helper method or calling the CSRF helper directly.

Form helper:

<?php echo Form::token() ?>

CSRF helper:

<input type="hidden" name="token" value="<?php echo CSRF::token() ?>" />

Add validation rule to your controller

$post->rules
(
	'token', array
	(
		'not_empty' => NULL,
		'csrf::valid' => NULL,
	),
);