diff --git a/README.md b/README.md index fafad37..db5d223 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,11 @@ Sometimes there are too many click at second from the same browser,with CSRFProt CSRFProtector want to be full unintrusive. #### Ajax -Coming soon +Ajax is a special case: infact the protection is easy to enable on URLs inside the html page generated by the server. +In this case the protection is pretty same to standard links. +On the other hand, sometimes you need to make request to dinamically generated URLs (by javascript). +This time CSRFProtector use a "global token" that can authorize any URL pointing your server and ,to improve security, it's regenerated each ajax call. +Because using "global token" is a bit less secure than standard way, CSRFProtector let you choose the mode on the constructor: --- @@ -53,7 +57,6 @@ Not only: it also add a flag in session with the end time of script execution an To do: -* Enable ajax * Enable javascript redirect --- @@ -65,8 +68,7 @@ At the begin of your main script, add this code ```php require ("libs/CSRFProtector-master/CSRFProtector.php"); -$jsPath = "CSRFProtector"; // path where is native.history.js -$csrf = new CSRFProtector($jsPath); +$csrf = new CSRFProtector(); $csrf->run(); ``` @@ -75,13 +77,59 @@ That is all! Anyway it's more powerfull than what might seem. #### Advanced configurations -The construct can take three optional arguments: +The construct can take an optional associative array as argument with these keys: + + +```php + "jsPath" +``` +[string] A path where is located csrf.protector.js (browser will search for {yourpath}/csrf.protector.js) + +--- + +```php + "errorFunction" +``` +[[callable]](http://php.net/manual/en/language.types.callable.php) function that will be called when CSRF attack are discovered (standard action is to end the script and display "CSFR protection") + +--- + +```php + "tokenFunction" +``` +[[callable]](http://php.net/manual/en/language.types.callable.php) function that generate the token(by default is a composition of 3 randomic value) + +--- + +```php + "maxTime" +``` +[int] The maximum life time of tokens in seconds(default is 120 seconds) + +--- + +```php + "minSecondBeforeNextClick" +``` +[int] The minimum time requested between the current script end time and the next request(default is 1 second) + +--- + +```php + "debug" +``` +[boolean] Activate the firephp debug sistem + +--- + +```php + "globalToken" +``` +[boolean] use the global token for ajax + +--- -1. A string path where is located native.history.js (browser will search for {yourpath}/native.history.js) -2. A [callable](http://php.net/manual/en/language.types.callable.php) function that will be called when CSRF attack are discovered (standard action is to end the script and display "CSFR protection") -3. A [callable](http://php.net/manual/en/language.types.callable.php) function that generate the token(by default is a composition of 3 randomic value) -4. The maximum life time of tokens in seconds(default is 120 seconds) -5. The minimum time requested between the current script end time and the next request(default is 1 second) +#### Advanced configurations example ```php @@ -97,7 +145,13 @@ $time = 30; //in seconds $min = 0; // in seconds $jsPath = "CSRFProtector"; // path where is native.history.js -$csrf = new CSRFProtector($jsPath,$error,$token,$time,$min); +$csrf = new CSRFProtector(array( //order doesn't matter + 'jsPath' => $jsPath, + 'errorFunction' => $error, + 'tokenFunction' => $token, + 'maxTime' => $time, + 'debug'=>true, + 'minSecondBeforeNextClick' => $min)); $csrf->run(); ``` @@ -108,8 +162,7 @@ It's also possible to manually protect GET and POST data using fews function: ```php $auto = false; -$jsPath = "CSRFProtector"; -$csrf = new CSRFProtector($jsPath); +$csrf = new CSRFProtector(); $csrf->run($auto);