rhubarbphp/module-csrfprotection

A means to provide token based CSRF protection

Module.CsrfProtection

Provides a mechanism for CSRF protection, _(*1)

Usage

Simply require the module using composer:, _(*2)

composer require rhubarbphp/module-csrfprotection

There are two types of validation provided, _(*3)

Header validation

Simply call the validateHeaders method of the library to compare Origin and Referrer headers with the active request., _(*4)

``` php CsrfProtection::singleton()->validateHeaders($request);, <sub>(*5)</sub>

$request should be the active WebRequest object. If you don't have a reference to it you can get it using

``` php
$request = Request::current();

This validation should be done for every POST request. It can also be done for GET requests, however it isn't recommended as it will fail on the first request a client makes to the site., <sub>(*6)</sub>

Cookie validation

This approach should be used in conjunction with header validation and compares a posted value against a previously generated random token stored in a cookie on the client., <sub>(*7)</sub>

When you output a form tag include the CSRF cookie token:, <sub>(*8)</sub>

$csrfProtector = CsrfProtection::singleton();

print '<input type="hidden" name="' . CsrfProtection::TOKEN_COOKIE_NAME . '" value="' . htmlentities($csrfProtector->getCookie()) . '" />';

When handling the post back, validate headers and the cookie:, <sub>(*9)</sub>

if ($request->server('REQUEST_METHOD') == 'POST'){
    CsrfProtection::singleton()->validateHeaders($request);
    CsrfProtection::singleton()->validateCookie($request);
}

Handling failures

If validation fails a CsrfViolationException is thrown which should be caught and handled appropriately., <sub>(*10)</sub>