Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
83 lines (73 sloc) 2.21 KB


The Csrf provides CSRF protection.


composer require webiik/csrf


$csrf = new \Webiik\Csrf\Csrf($token, $session);
$token = $csrf->create();

// Now send the $token to the next request, e.g. using $_POST...

In the next request validate token:

$csrf = new \Webiik\Csrf\Csrf($token, $session);
if ($csrf->validate($_POST[$csrf->getName()])) {
    // CSRF token is valid



setName(string $name): void

setName() sets custom CSRF token name, the default name is 'csrf-token'. It is also the session key of CSRF token.



setMax(int $max): void

setMax() sets the maximum number of simultaneous CSRF tokens that can be stored in the session. The default number is 5. It means, for example, that user can open up to 5 CSRF protected forms at once. If this limit is exceeded, the method create() does not generate new CSRF token, but it returns the lastly generated token.


Save resources and never set too big number.



create(bool $safe = false): string

create() returns 16 characters long CSRF token and stores it in the session. If you want to generate safe tokens, set the $safe parameter to true.

$csrfToken = $csrf->create();

Safe tokens are slower to generate and require more resources.



validate(string $token, bool $safe): bool

$validate() validates $token to the all CSRF tokens stored in session. If $token is valid, it returns true and deletes valid token from session. If you want to use the timing-attack safe validation, set the $safe parameter to true.


Timing-attack safe validation is slower and requires more resources.


You can’t perform that action at this time.