The Csrf provides CSRF protection.
composer require webiik/csrf$csrf = new \Webiik\Csrf\Csrf($token, $session);
$token = $csrf->create();
// Now send the $token to the next request, e.g. using $_POST...In the next request validate token:
$csrf = new \Webiik\Csrf\Csrf($token, $session);
if ($csrf->validate($_POST[$csrf->getName()])) {
// CSRF token is valid
}setName(string $name): voidsetName() sets custom CSRF token name, the default name is 'csrf-token'. It is also the session key of CSRF token.
$csrf->setName('my-csrf-token');setMax(int $max): voidsetMax() sets the maximum number of simultaneous CSRF tokens that can be stored in the session. The default number is 5. It means, for example, that user can open up to 5 CSRF protected forms at once. If this limit is exceeded, the method create() does not generate new CSRF token, but it returns the lastly generated token.
$csrf->setMax(5);Save resources and never set too big number.
create(bool $safe = false): stringcreate() returns 16 characters long CSRF token and stores it in the session. If you want to generate safe tokens, set the $safe parameter to true.
$csrfToken = $csrf->create();Safe tokens are slower to generate and require more resources.
validate(string $token, bool $safe): bool$validate() validates $token to the all CSRF tokens stored in session. If $token is valid, it returns true and deletes valid token from session. If you want to use the timing-attack safe validation, set the $safe parameter to true.
$csrf->validate($token);Timing-attack safe validation is slower and requires more resources.