HMAC is stateless, so performance is way faster: | Factor | Synchronizer | HMAC | |--------|--------|--------| | I/O per request | 1 read + 1 write (file lock) | 0 | | Session directory GC | 1% of requests scan all files | Never triggered | | File accumulation | Grows forever → GC gets slower and slower | Nothing to accumulate | To use it: ```php CsrfTokenInterface::class => [ 'class' => MaskedCsrfToken::class, '__construct()' => [ 'token' => Reference::to(HmacCsrfToken::class), ], ], ``` Drawbacks are: 1. Can't invalidate tokens. 2. Replay is possible within a lifetime window. 3. It relies on unique "session" IDs. If there's no session and no one logged in, CSRF doesn't work, i.e., for anonymous users. 4. Need a secret key.
HMAC is stateless, so performance is way faster:
To use it:
CsrfTokenInterface::class => [ 'class' => MaskedCsrfToken::class, '__construct()' => [ 'token' => Reference::to(HmacCsrfToken::class), ], ],Drawbacks are: