internetpixels/csrf-protection

Protect your web app from malicious requests by using CSRF protection tokens in links and forms

CSRF Protection

Protect your web app from malicious requests by using CSRF protection tokens in links and forms. This CSRF protection library does not use sessions, files, memory storage or databases., _(*1)

, _(*2)

Basic examples

In the examples below you'll find the 3 most important methods: - TokenManager::create(); - TokenManager::createHtmlField(); - TokenManager::validate();, _(*3)

The full namespace is InternetPixels\CSRFProtection\TokenManager., _(*4)

Setup the TokenManager

You have to set some settings for a secure TokenManager. Please overwrite the salt by your own one., _(*5)

<?php
TokenManager::setSalt('P*17OJznMttaR#Zzwi4YhAY!H7hPGUCd', 'ERGirehgr4893ur43tjrg98rut98ueowifj');
TokenManager::setUserId(7);
TokenManager::setSessionToken('session_token');

Create a safe form

The TokenManager can improve the security, _(*6)

<form action="/your/page" method="post">
    <?= TokenManager::createHtmlField('my_form') ?>
</form>

Create a safe link

When a user wants to delete an item in your application, you want to be sure that the request is valid. Create a token and add it in the link to your delete page., _(*7)

<a href="/posts/delete/1?token=<?= TokenManager::create('delete_post') ?>">Delete Post</a>

In the delete action you want to validate the token with the TokenManager::validate() method., _(*8)

Validate the user input

Once a user is posting the form data to your server(s), you'll first need to validate the given token. By default, the field name used is _token., _(*9)

<?php

if( filter_has_var(INPUT_POST, '_token') ) {
    if( TokenManager::validate('my_form', filter_input(INPUT_POST, '_token')) ) {
        // valid token
    }
    else {
        // invalid token
    }
}