PHP download

Download the PHP package aleksandarz/csrfmodule without Composer

On this page you can find all versions of the php package aleksandarz/csrfmodule. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

Table of contents
Download aleksandarz/csrfmodule
More information about aleksandarz/csrfmodule
Files in aleksandarz/csrfmodule

Vendor aleksandarz
Package csrfmodule
Short Description A simple CSRF protection module for PHP.
License MIT

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:

If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.

Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
To use Composer is sometimes complicated. Especially for beginners.
Composer needs much resources. Sometimes they are not available on a simple webspace.
If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.

Please rate this library. Is it a good library?

Example code of aleksandarz/csrfmodule

Informations about the package csrfmodule

CSRF Module

Versions

This module follows SemVer versioning rules.

1.0.0: Initial stable release.

Description

This module provides functionality to generate and validate CSRF tokens. It ensures protection against CSRF attacks by verifying that requests originate from trusted sources.

Current Version: 1.0.0

Features

Token generation and validation.
Custom expiration time for tokens.
Optional storage of token status (valid, used, expired).
Index creation and removal for status and timestamp columns.

Installation

You can install the module in two ways:
- Install via Composer (Recommended)
The easiest way to install the module is via Composer. Run the following command to add it to your project:

This will automatically add the module to your project.
- Manual Installation (Download from GitHub)
Alternatively, you can download the module manually from GitHub and place it in your project’s modules directory.
Database Setup. Code for creating the table will be handled by the createTable method inside DatabaseSchemaManager class. Table configuration is set in config/csrf_config.php.

If the SAVE_CSRF_STATUS constant is set to true, the status column will be included. If set to false, the column will be omitted.

For setting index on timestamp or status or both columns set true value for each index:
- To create the table in database call createTable method:
- To delete the table, you can call the deleteTable method:
The result of calling either method will be logged in the csrf_module\logs\general.log file. Note: Deleting the table is irreversible and should only be done if you are sure it is no longer needed.
Configuration: Rename the file config/csrf_config.example.php to config/csrf_config.php.
Database Setup: Open config/csrf_config.php and configure your database settings. Update the DB_USER, DB_PASS, DB_HOST, and DB_NAME constants with your database credentials.

Error Logging

The system logs errors into different log files inside logs direcotry based on the type of action:

db_errors.log: Logs database connection errors and database-related issues.
token_cleanup.log: Logs actions related to cleaning expired or invalid CSRF tokens.
general.log: Logs general application errors or significant events.

The result of actions like table creation, deletion, or cleanup will be logged in the appropriate log file. If the logs directory doesn't exist it will be created automatically if needed.

Usage

Session Requirements for User ID

The module requires a valid session key for the current user’s ID. The default session key is set to 'user_id' but can be customized in config/csrf_config.php. If this session key is missing or invalid, the module will stop execution and display an error.

Make sure to: Set the USER_ID_SESSION_KEY constant in csrf_config.php to match your application's session key. Ensure the session key is properly set and contains a valid integer representing the user ID.

Validating CSRF Token

To validate a token submitted via a form, compare the token in the session with the one sent with the request:

Adding and Removing status column to/from csrf_token table
Adding status column:
1. Set SAVE_CSRF_STATUS constant in csrf_config.php to true
2. Call addStatusColumn method
Removing status column:
1. Set SAVE_CSRF_STATUS constant in csrf_config.php to false
2. Call removeStatusColumn method:
Creating and Removing Indexes for Columns
To create an index on specific columns (status, timestamp, or both), use the addIndex method:

The method will log an error if the index already exists and return false. If the index is successfully created, it will return true.

To remove an index from specific columns (status, timestamp, or both), use the removeIndex method:
Cleaning Token During User Logout

When a user logs out, it is recommended to delete all user's tokens or change status of 'valid' CSRF token(s) to reduce the risk of misuse. You can utilize the existing method for:

deleting tokens:
changing token status to 'expired':

This will change status of all tokens to 'expired' or remove all tokens associated with the current user's ID from the database. Ensure the session contains a valid user_id for this method to work.

Cleaning Expired CSRF Tokens

The module provides functionality for cleaning expired CSRF tokens, as well as for cleaning specific user tokens or expired tokens for a specific user from the database. Tokens are considered expired if their timestamp is older than the specified expiration time, calculated as . The token lifetime is defined in the csrf_config.php file via the TOKEN_EXPIRATION_TIME constant. You can start the cleaning process if you have admin privileges by calling the allTokensCleanUp method in your application, as shown in the example below:

Admin Access for Token Cleanup

The allTokensCleanUp method is restricted to users with administrator privileges. This restriction is enforced using session data, and the role configuration is defined in the csrf_config.php file through the following constants:

When the method is called, it verifies the session data to ensure the user has the required role. If the validation fails, the method:

Logs an error indicating unauthorized access.
Returns a message to the user indicating insufficient permissions.

Ensure that:

The ROLE_NAME constant matches the session key used in your application for user roles.
The ROLE_VALUE constant matches the role value assigned to administrators.

Example of session configuration in your application:

Configuration

You can configure various aspects of the CSRF module by editing the configuration file located in modules/csrf_module/config/csrf_config.php.

Indexing Configuration: Enable or disable indexing for the status and timestamp columns by setting the following constants in csrf_config.php:
Removing Indexes: You can remove indexes for the status and timestamp columns by calling the removeIndex method with the appropriate column name(s). See the Usage section for more details.

License

This project is licensed under the MIT License - see the LICENSE file for details.

All versions of csrfmodule with dependencies

PHP Build Version

Package Version

Version 1.0.0 Release 16. Dec 2024
create-project require 0 people chose require and
0 people chose create-project.

Download

Download latest version of csrfmodule from vendor aleksandarz

Requires php Version ^8.2

Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package aleksandarz/csrfmodule contains the following files

Loading the files please wait ....

Download the PHP package aleksandarz/csrfmodule without Composer

FAQ

How can I use the PHP package after the download?

Do I need to create a project on this site?

When is it necessary to insert some auth.json content?

What is the advantage to use this site for my Composer projects?

Informations about the package csrfmodule

CSRF Module

Versions

Description

Features

Installation

Error Logging

Usage

Session Requirements for User ID

Validating CSRF Token

Adding and Removing status column to/from csrf_token table

Creating and Removing Indexes for Columns

Cleaning Token During User Logout