Download the PHP package elhardoum/nonce-php without Composer
On this page you can find all versions of the php package elhardoum/nonce-php. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Informations about the package nonce-php
Nonce PHP
Fast PHP nonce and CSRF tokens tool, add tokens to your web forms and validate nonces easily using browser cookies or a cache driver (or anything else).
Install
Using composer:
Basic Usage
First, import and initialize the nonce utility class:
Then, to create a nonce based on an action name:
Here you see we used the signup-form
as an action name and we can use that later to verify the nonce supplied to the user request:
Let's use this in our HTML form:
Now the form should appear something like this on the front-end (i.e with the nonce field added):
To verify the nonce for this form on submission, we can pass the nonce
hash to the method $nonceUtil->verify( string $hash, string $action )
:
Configuration
When initializing the Nonce\Nonce
class, you're passing the config class as a first argument:
You can customize the default configs by calling the $nonceConfig->setConfig
method or by passing your own config class which implements Nonce\Config\Base
interface.
This allows you to overwrite the default constants of the config class.
For example, to update the cookie settings:
Available config constants:
Remember to use $nonceConfig->setConfig
to update any of the following config keys:
The CSRF cookie name.
The number of seconds in which the CSRF token attached to the browser cookie should expire. This token is important and used to generate and verify the hashes, so it is unique per user.
Specify a random salt to be used to generate the tokens.
Enter a character limit here. The return value of $nonceUtil->create(...)
then will be this characters long.
Which algo should be passed to hash
to generate a token.
How long should the nonce live once generated? the nonces should have a limited lifespan, otherwise you'd be bloating your browser cookies or cache server with redundant hashes.
The expiration is renewed after you request a hash via $nonceUtil->create(...)
method, so if a hash is 5 min to expire, the expiration will be reset as we recreate the hash.
Cookies path, set to a web directory name if you use Nonce
in a subdirectory project, or /
if on the root domain.
Note: even if you use a cache driver to store the hashes, the cookie is still required to store the CSRF
token.
The current domain name (host).
Enter a character limit here. This is important when you are storing hashes via cookies.
The generated hash becomes long that we actually need to trim it to get only the first few characters for the sake of identification, when you are storing hashes using browser cookies then this would possible result in larger request headers, so we'll try to store tiny hashes instead, and clip the hash as well while verifying the nonces.
Hash store drivers
The nonces identifier data needs to be stored temporarily to be used for later verification.
Cookies
A simple temporary storage can be achieved with browser cookies, so you can pass the \Nonce\HashStore\Cookie
instance as the second argument while initializing the nonce class:
Notice that regardless if you use a different store driver, cookies will still be used to persist the CSRF token for the request users.
Redis
You can also store the hash data temporarily on your Redis server, by passing an instance of \Nonce\HashStore\Redis
as the second argument while initializing the nonce class:
Make sure to pass an instance of \Predis\Client
while instantiating the \Nonce\HashStore\Redis
class.
Your Own
You can use any other means of temporary data stores, by passing a class which implements the \Nonce\HashStore\Store
interface: