Download the PHP package linna/csrf-guard without Composer

On this page you can find all versions of the php package linna/csrf-guard. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package csrf-guard



[![Tests](https://github.com/linna/csrf-guard/workflows/Tests/badge.svg)](https://github.com/linna/csrf-guard/actions) [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=linna_csrf-guard&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=linna_csrf-guard) [![PDS Skeleton](https://img.shields.io/badge/pds-skeleton-blue.svg?style=flat)](https://github.com/php-pds/skeleton) [![PHP 8.1](https://img.shields.io/badge/PHP-8.1-8892BF.svg)](http://php.net)

About

Provide a class for generate and validate tokens utilized against Cross-site Request Forgery.

Note: Don't consider this class a definitive method to protect your web site/application. If you wish deepen how to prevent csrf you can start here

Requirements

This package require

Installation

With composer:

Token types

Note: Storage it's intended that the data about token or the token is stored in session.

The package provides three types of token:

Encryption-based token

Encryption-based CSRF token is a token that is the result of a cryptographic algorithm, some data is encrypted using a secret key only known from the server .The implementation in this library uses libsodium aead contruction XChaCha20-Poly1305. The token has expire time and require local storage.

The token security depends from:

This token is valid until validated or until it expires. It's possible to select a length of the token. The length of the token doesn't affect the storage used.

The key used for the engryption is generated for every session, the nonce for every token.

HMAC-based token

HMAC-based CSRF token is a token that is computed by applying an HMAC function to some data and a secret key that is only known from the server. The implementation in this library uses php hash_hmac with the sha3-384 algorithm. This type of token deosn't require local storage and it has an expire time.

The token security depends from:

This token is valid until expires and can be validate more times. Also has fixed length and it's not possible to change it to obtain a shorter or longer token.

The key used to authenticate is fully managed by the user of the library.

Synchronizer token

The Synchronizer CSRF token is a token randomly generated. This library uses php random_bytes. The token has expire time and require local storage.

The token security depends from:

This token is valid until validated or until it expires. It's possible to select a length of the token. The length of the token affects the storage used.

Usage

Note: Session must be started before you create the instance of a provider, if no a SessionNotStartedException will be throw, this is not true if you use the HmacTokenProvider.

Get started

How to get and validate a token using few lines of code.

Generate a provider

Get a token

Validate it

Provider configuration

The ProviderSimpleFactory::getProvider() static method has two parameters:

EncryptionTokenProvider config

Options Default Value Unity Range Mandatory
expire 600 seconds 0-86400 no
storageSize 10 tokens 2-64 no
tokenLength 16 bytes 16-128 no

Example of usage:

HmacTokenProvider config

Options Default Value Unity Range Mandatory
value // yes
key // yes
expire 600 seconds 0-86400 no

Example of usage:

SynchronizerTokenProvider config

Options Default Value Unity Range Mandatory
expire 600 seconds 0-86400 no
storageSize 10 tokens 2-64 no
tokenLength 32 bytes 16-128 no

Example of usage:


All versions of csrf-guard with dependencies

PHP Build Version
Package Version
Requires php Version >=8.1
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package linna/csrf-guard contains the following files

Loading the files please wait ....