protect against CSRFattack
PHP JavaScript
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
examples fixed many bugs Nov 8, 2013
libs firephp + ajax 90% ready Sep 25, 2013
CSRFProtector.php fixed many bugs Nov 8, 2013 Update Nov 8, 2013
csrf.protector.js fixed many bugs Nov 8, 2013
native.history.js fixed CSRF while refreshing the same page Sep 18, 2013


Protect against CSRF attack. PHP >= 5.4


Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.
Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
This class can be usefull to also avoid some sort of javascript scripts that attemps a human simulation or a DOS attack.

Why I should use this class?

  • Automatic CSRF protection
  • Strong CSRF protection
  • Bot scripts protection
  • Race conditions
  • No cookie or database used
  • Ajax

Automatic CSRF protection

Most of others PHP scripts require that you manually edit link and form one by one.
In medium and big size application, this is not only stressful but also dangerous because as human you can do mistakes.
CSRFProtector, instead, do the job automatically!

Strong CSRF protection

Most of csrf php libs protect only forms: anyway is a common practice to assign an action to an link.
Infact suppose to have a link like admin.php?action=dropDB, this script can protect you while others can't.
Also, often in others protection classes token are persistent. Instead here at each request the corrispective token is destroyed.

Bot scripts protection

CSRFProtector rewritting urls can avoid some type of javascript with the purpuse to simulate humans.

Race conditions

Sometimes there are too many click at second from the same browser,with CSRFProtector you can choose the time between script end execution and next incoming request.

No cookie or database used

CSRFProtector want to be full unintrusive.


Ajax is a special case: infact the protection is easy to enable on URLs inside the html page generated by the server.
In this case the protection is pretty same to standard links. On the other hand, sometimes you need to make request to dinamically generated URLs (by javascript).
This time CSRFProtector use a "global token" that can authorize any URL pointing your server and ,to improve security, it's regenerated each ajax call.
Because using "global token" is a bit less secure than standard way, CSRFProtector let you choose the mode on the constructor:


Just before the end of the scripts, it search in the output buffered each links and forms. Then, they are modified adding a speacial randomic token: tokens are then saved in sessions to create a white list.
When a web request come to your server, CSFRProtector check if the associated token is in the permitted list: if yes then the script can continue, otherwise a error is shown.
Not only: it also add a flag in session with the end time of script execution and you can choose when the next request is accepted.

To do:

  • Enable javascript redirect


First off all, download and unzip all the contents in a folder in your server. Let's suppose is libs.
At the begin of your main script, add this code

require ("libs/CSRFProtector-master/CSRFProtector.php");
$csrf = new CSRFProtector();

That is all! Anyway it's more powerfull than what might seem.

Advanced configurations

The construct can take an optional associative array as argument with these keys:


[string] A path where is located csrf.protector.js (browser will search for {yourpath}/csrf.protector.js)


[callable] function that will be called when CSRF attack are discovered (standard action is to end the script and display "CSFR protection")


[callable] function that generate the token(by default is a composition of 3 randomic value)


[int] The maximum life time of tokens in seconds(default is 120 seconds)


[int] The minimum time requested between the current script end time and the next request(default is 1 second)


[boolean] Activate the firephp debug sistem


[boolean] use the global token for ajax

Advanced configurations example

$error = function(){
  die("Nice try dude");  

$token = function(){
    return "_".md5(mt_rand(2,100)).time().microtime(); // univoque for better security

$time = 30; //in seconds
$min = 0; // in seconds
$jsPath = "CSRFProtector"; // path where is native.history.js

$csrf = new CSRFProtector(array( //order doesn't matter
    'jsPath' => $jsPath,
    'errorFunction' => $error,
    'tokenFunction' => $token,
    'maxTime' => $time,
    'minSecondBeforeNextClick' => $min));

It's also possible to manually protect GET and POST data using fews function:

$auto = false;
$csrf = new CSRFProtector();

    <a href="<?php echo $csrf->protectUrl("index.php"); ?>">a link</a>

    <form action="form.php" method="post">
      <?php echo $csrf->getFormHiddenComponent(); ?>