CSRF

[oscarotero]

A middleware for CSRF (Cross Site Request Forgery) should be really usefull but brings some chalenges:

• How to manage the session?
• How make it easy to work with ajax?

References:

• https://github.com/oscarotero/psr7-middlewares#csrf
• https://github.com/paragonie/anti-csrf
• https://github.com/Ocramius/PSR7Csrf
• https://github.com/slimphp/Slim-Csrf

[schnittstabil]

Sessions are not necessarily needed, e.g. my schnittstabil/psr7-csrf-middleware is based on the JWT idea – it just depends on the use-cases.

schnittstabil/psr7-csrf-middleware also provides multiple ways to deal with ajax, plain old <input/> and twig-templates – hence feel free to ask me.

[schnittstabil]

Btw, I'm planning to port schnittstabil/psr7-csrf-middleware to PSR-15 – but this has very low priority atm.

[zakirullin]

@schnittstabil's solution is good enough! And it looks like production-ready! Good job!
Though, I've invented one which fits my needs better. It is more suitable in case you have some kind of session storage already, and I think you do, because it's essential to have this one in your project, and roughly saying there is no need in CSRF-protectoin without Auth. So! In my opinion, you shouldn't care about session_id storing-transfer mechanism. You can leave it for other packages, this way we'll preserve simplicity as well as single responsibility principles. As for example, I use https://github.com/psr7-sessions/storageless alongside with mentioned solution.
Any comments would be appreciated (especially from @schnittstabil , as your project is more valuable)! And yes, it is PSR-15 compatible!
https://github.com/zakirullin/csrf-middleware