Download the PHP package spencer14420/sp-anti-csrf without Composer
On this page you can find all versions of the php package spencer14420/sp-anti-csrf. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download spencer14420/sp-anti-csrf
More information about spencer14420/sp-anti-csrf
Files in spencer14420/sp-anti-csrf
Package sp-anti-csrf
Short Description Can be used to generate and validate anti-CSRF tokens
License MIT
Informations about the package sp-anti-csrf
SPAntiCSRF
SPAntiCSRF is a lightweight PHP package that secures web applications against CSRF attacks using token-based validation.
Features
- Session-based CSRF token management: Tokens are stored securely in PHP sessions.
- Token expiration: Tokens expire after a configurable duration for enhanced security.
- Validation and replay protection: Ensures tokens are valid and prevents token reuse.
- Session regeneration: Provides a method to regenerate session IDs, helping to mitigate session fixation attacks when used appropriately.
- One-time token usage: Tokens are invalidated after successful validation to prevent reuse.
Installation
You can install SPAntiCSRF using Composer:
Usage
Generate a CSRF Token
Generate a token when rendering forms or making requests that require CSRF protection:
Use the token in your HTML form:
Validate the Token
Validate the token on the server side when processing the form submission:
Regenerate the Session
For added security, you can regenerate the session ID periodically or after certain actions:
- Consider calling
regenerateSession()after sensitive actions like user login, logout, or privilege escalation to protect against session fixation attacks.
API Reference
Generates a new CSRF token, and stores it in a session variable with an expiry time (default: 1 hour).
- Parameters:
$expirySeconds: The token's lifetime in seconds.
- Returns: The generated token as a string.
Validates a CSRF token.
- Parameters
$tokenToCheck: The token to validate.
- Returns:
trueif the token is valid and has not expired;falseotherwise.
Regenerates the PHP session ID to mitigate session fixation attacks.
Checks if the stored token has expired.
- Returns:
trueif the token has not expired;falseotherwise.