Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
83 lines (73 sloc) 2.21 KB

Csrf

The Csrf provides CSRF protection.

Installation

composer require webiik/csrf

Example

$csrf = new \Webiik\Csrf\Csrf($token, $session);
$token = $csrf->create();

// Now send the $token to the next request, e.g. using $_POST...

In the next request validate token:

$csrf = new \Webiik\Csrf\Csrf($token, $session);
if ($csrf->validate($_POST[$csrf->getName()])) {
    // CSRF token is valid
}

Configuration

setName

setName(string $name): void

setName() sets custom CSRF token name, the default name is 'csrf-token'. It is also the session key of CSRF token.

$csrf->setName('my-csrf-token');

setMax

setMax(int $max): void

setMax() sets the maximum number of simultaneous CSRF tokens that can be stored in the session. The default number is 5. It means, for example, that user can open up to 5 CSRF protected forms at once. If this limit is exceeded, the method create() does not generate new CSRF token, but it returns the lastly generated token.

$csrf->setMax(5);

Save resources and never set too big number.

Generating

create

create(bool $safe = false): string

create() returns 16 characters long CSRF token and stores it in the session. If you want to generate safe tokens, set the $safe parameter to true.

$csrfToken = $csrf->create();

Safe tokens are slower to generate and require more resources.

Validation

validate

validate(string $token, bool $safe): bool

$validate() validates $token to the all CSRF tokens stored in session. If $token is valid, it returns true and deletes valid token from session. If you want to use the timing-attack safe validation, set the $safe parameter to true.

$csrf->validate($token);

Timing-attack safe validation is slower and requires more resources.

Resources

You can’t perform that action at this time.