Download the PHP package solventt/csrf-protection without Composer

On this page you can find all versions of the php package solventt/csrf-protection. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package csrf-protection

Table of Contents

  1. Features
  2. Installing
  3. Usage
  4. A real use case
  5. A custom token name
  6. A custom failure handler
  7. A custom token storage
  8. A custom token generation algorithm
  9. A custom CSRF token class
  10. The CSRF token in custom request headers

This is a PSR-15 compatible middleware that implements protection against cross-site request forgery.

In this package, the CSRF protection is organized according to the Synchronizer Token pattern described on the OWASP website.

Features

This package uses token masking (randomizing by XORing with a random secret). This method is recommended for protection against BREACH attacks.

The CSRF token is generated and saved once per session (this can be changed). But thanks to the mask, the token will be unique each time it is requested.

Masking the token eliminates the problem of false CSRF triggering on the server when you click the "Back" button in the browser.

Installing

Usage

To get a name and valid value of the token do:

Somewhere in HTML:

When the getValue() method is called the first time, the CSRF token is generated and stored into a storage (usually in a user session). On subsequent method calls, a CSRF token value is taken from a storage.

By default, the getValue() method returns a masked token. If you need a raw value of the CSRF token that is stored in a session, specify false as the first argument:

If you want to generate the token of a certain length, specify it as the second argument in the getValue() method:

The default token length is 32 characters and cannot be less than 15.

Since the CSRF token is randomly masked, there is no need to regenerate it within the same session. But if such a need occurs, do:

A real use case

It is an example of using the CSRF protection in the Slim micro framework.

config/csrf.php:

routing/middleware.php:

config/twig.php:

views/template.twig:

A custom token name

The default token name is _csrf. But you can specify your own name by adding it as the third argument to the MaskedCsrfToken constructor:

A custom failure handler

By default, if the CSRF tokens do not match, the client receives code 400, and the 'Bad Request' message.

But you can define your own logic for handling CSRF fails. Just add an anonymous function as the third argument to the CsrfMiddleware constructor:

Notice: an anonymous function must return an instance that implements ResponseInterface.

A custom token storage

Out of the box, this package provides the SessionTokenStorage class that works directly with the superglobal $_SESSION. If that's not what you need, you can write your own version of the token storage. Then your class must implement TokenStorageInterface interface:

For example, your code uses an abstraction over $_SESSION to handle sessions. Then your token storage might look like this:

A custom token generation algorithm

You can define your own logic for generating the CSRF token and adding/removing the token mask. To do this, your class must implement SecurityInterface:

A custom CSRF token class

This package provides the MaskedCsrfToken class representing the CSRF token. But you can write your own implementation of the token according to the CsrfTokenInterface:

The CSRF token in custom request headers

If no CSRF token is found in request body, the middleware checks for the X-CSRF-Token header. You can provide your own header name using the setHeaderName method:

It is relevant, for example, for AJAX requests.


All versions of csrf-protection with dependencies

PHP Build Version
Package Version
Requires php Version ^7.4 || ^8.0
psr/http-factory Version ^1.0
psr/http-server-middleware Version ^1.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package solventt/csrf-protection contains the following files

Loading the files please wait ....