Download the PHP package linna/csrf-guard without Composer
On this page you can find all versions of the php package linna/csrf-guard. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download linna/csrf-guard
More information about linna/csrf-guard
Files in linna/csrf-guard
Package csrf-guard
Short Description Linna Cross-site request forgery Guard
License MIT
Homepage https://github.com/linna/csrf-guard
Informations about the package csrf-guard
About
Provide a class for generate and validate tokens utilized against Cross-site Request Forgery.
Note: Don't consider this class a definitive method to protect your web site/application. If you wish deepen how to prevent csrf you can start here
Requirements
This package require
- php 7.0 until version v1.1.2
- php 7.1 from v1.2.0
- php 7.4 from v1.4.0
- php 8.1 from v2.0.0
Installation
With composer:
Token types
Note: Storage it's intended that the data about token or the token is stored in session.
The package provides three types of token:
- Encryption-based CSRF token
- HMAC-based CSRF token
- Synchronizer CSRF token
Encryption-based token
Encryption-based CSRF token is a token that is the result of a cryptographic algorithm, some data is encrypted using a
secret key only known from the server .The implementation in this library uses libsodium
aead contruction
XChaCha20-Poly1305
. The token has expire time and require local storage.
The token security depends from:
- secret key storage
- strength of
XChaCha20-Poly1305
This token is valid until validated or until it expires. It's possible to select a length of the token. The length of the token doesn't affect the storage used.
The key used for the engryption is generated for every session, the nonce for every token.
HMAC-based token
HMAC-based CSRF token is a token that is computed by applying an HMAC function to some data and a secret key that is
only known from the server. The implementation in this library uses php hash_hmac
with the sha3-384
algorithm.
This type of token deosn't require local storage and it has an expire time.
The token security depends from:
- secret key storage
- strength of
sha3-384
This token is valid until expires and can be validate more times. Also has fixed length and it's not possible to change it to obtain a shorter or longer token.
The key used to authenticate is fully managed by the user of the library.
Synchronizer token
The Synchronizer CSRF token is a token randomly generated. This library uses php random_bytes
. The token has expire
time and require local storage.
The token security depends from:
- the length of the token
This token is valid until validated or until it expires. It's possible to select a length of the token. The length of the token affects the storage used.
Usage
Note: Session must be started before you create the instance of a provider, if no a
SessionNotStartedException
will be throw, this is not true if you use theHmacTokenProvider
.
Get started
How to get and validate a token using few lines of code.
Generate a provider
Get a token
Validate it
Provider configuration
The ProviderSimpleFactory::getProvider()
static method has two parameters:
- the provider
- options for the provider
EncryptionTokenProvider config
Options | Default Value | Unity | Range | Mandatory |
---|---|---|---|---|
expire | 600 | seconds | 0-86400 | no |
storageSize | 10 | tokens | 2-64 | no |
tokenLength | 16 | bytes | 16-128 | no |
Example of usage:
HmacTokenProvider config
Options | Default Value | Unity | Range | Mandatory |
---|---|---|---|---|
value | // | yes | ||
key | // | yes | ||
expire | 600 | seconds | 0-86400 | no |
Example of usage:
SynchronizerTokenProvider config
Options | Default Value | Unity | Range | Mandatory |
---|---|---|---|---|
expire | 600 | seconds | 0-86400 | no |
storageSize | 10 | tokens | 2-64 | no |
tokenLength | 32 | bytes | 16-128 | no |
Example of usage: