Download the PHP package itrack/csrf without Composer

On this page you can find all versions of the php package itrack/csrf. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package csrf

Easy CSRF - Cross Site Request Forgery Protection

This library is a simple signature generator to protect form submissions from cross site request forgery, using a signed token. It does not require server-side storage of valid tokens and is thereby stateless.

Install

composer require itrack/csrf

Simple usage

The SignatureGenerator needs the be instantiated with the same secret every time. To generate a signed token, simply call SignatureGenerator::getSignature and embed the value into a hidden form field. Upon form submission, validate this token using SignatureGenerator::validateSignature.

Time limited validity

The signature includes a timestamp of when it was generated. This can be used to expire it after some time. The timestamp is part of the signature generation process and cannot be altered. By default the signature expires after a few hours (see SignatureGenerator::$validityWindow for default value). You can set your own validity window using SignatureGenerator::setValidityWindow:

The method accepts an integer UNIX timestamp, a string which will be evaluated by strtotime or an instance of DateTime. Any signature older than the set timestamp will be regarded as expired. The default timeout should present a reasonable value which makes sure signatures do expire eventually, without frustrating slow users. Adjust it to make it tighter or more relaxed based on your needs.

Adding data

The signature can additionally be used to protect against form field injection and/or can be tied to a specific user. Data can be added to the signature generation process using SignatureGenerator::addValue and SignatureGenerator::addKeyValue:

The signature will only be valid if the same data was added when the token was generated and when it is being validated. To protect against form field injection you should add the names of all <input> elements which you expect to receive in the submitted form using SignatureGenerator::addValue. Any additional data you want to tie to the signature, like the user id, should be added using SignatureGenerator::addKeyValue.

For example, when generating the token:

When validating the token, use the submitted form fields as part of the validation:

This way, if any fields which were not part of the original signature are submitted with the form, it will not validate. Take care if you're dynamically adding form fields using Javascript.

Note

The drawback of adding form fields is that the same form fields need to be added when generating the signature and when validating it. This requires to keep the list of expected and actual form fields in sync, which can quickly lead to code duplication if not handled properly. For best results I'd recommend using this library as part of a larger form generating function/class/library which handles this.

Signature format

The signature is encoded in base64, format by default is:

timestamp + ":" + token + ":" + signed token

where

timestamp    = unsigned integer
token        = base64 encoded random value
signed token = base64 encoded hash

hash         = HMAC_SHA512(timestamp + token + data, secret)
data         = all added values

The data is sorted, so the order in which the values are added does not matter. The above description omits technical details on which exact format the data is put in for hashing, please consult the source code.

Crypto provider

An alternative CryptoProvider, which provides a source of randomness and the hashing algorithm, can be passed upon instantiating SignatureGenerator as the second argument to the constructor. Consult ICryptoProvider.php and CryptoProvider.php.

Information

Based on https://github.com/deceze/Kunststube-CSRFP package


All versions of csrf with dependencies

PHP Build Version
Package Version
Requires php Version >=7.0.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package itrack/csrf contains the following files

Loading the files please wait ....