2017 © Pedro Peláez
 

library anti-csrf

Resonant Core's Anti-CSRF Security Library

image

resonantcore/anti-csrf

Resonant Core's Anti-CSRF Security Library

  • Tuesday, April 21, 2015
  • by resonantcore
  • Repository
  • 5 Watchers
  • 11 Stars
  • 4 Installations
  • PHP
  • 0 Dependents
  • 0 Suggesters
  • 2 Forks
  • 0 Open issues
  • 1 Versions
  • 0 % Grown

The README.md

Anti-CSRF Library

Build Status Latest Stable Version Latest Unstable Version License Downloads, (*1)

Motivation

There aren't any good session-powered CSRF prevention libraries. By good we mean:, (*2)

  • CSRF tokens can be restricted to any or all of the following:
    • A particular session
    • A particular HTTP URI
    • A particular IP address (optional)
  • Multiple CSRF tokens can be stored
  • CSRF tokens expire after one use
  • An upper limit on the number of tokens stored with session data is enforced
    • In our implementation, the oldest are removed first

Warning - Do not use in any project where all $_SESSION data is stored client-side in a cookie. This will quickly run up the 4KB storage max for an HTTP cookie., (*3)

Using it in Any Project

See autoload.php for an SPL autoloader., (*4)

Using it with Twig templates

First, add a filter like this one:, (*5)

use \ParagonIE\AntiCSRF\AntiCSRF;
$twigEnv->addFunction(
    new \Twig_SimpleFunction(
        'form_token',
        function($lock_to = null) {
            static $csrf;
            if ($csrf === null) {
                $csrf = new AntiCSRF;
            }
            return $csrf->insertToken($lock_to, false);
        },
        ['is_safe' => ['html']]
    )
);

Next, call the newly created form_token function from your templates., (*6)



{{ form_token("/addUser.php") }} {# ... the rest of your form here ... #}

Validating a Request

    $csrf = new \ParagonIE\AntiCSRF\AntiCSRF;
    if (!empty($_POST)) {
        if ($csrf->validateRequest()) {
            // Valid
        } else {
            // Log a CSRF attack attempt
        }
    }

Support Contracts

If your company uses this library in their products or services, you may be interested in purchasing a support contract from Paragon Initiative Enterprises., (*7)

The Versions

21/04 2015

dev-master

9999999-dev

Resonant Core's Anti-CSRF Security Library

  Sources   Download

(MIT or AGPL-3.0)

The Development Requires

security session csrf appsec