Project is deprecated.
Simple CSRF-token class to prevent CSRF attacks
Requirements
- PHP 5.3 or higher is required.
Composer installation
- Get Composer.
- Require SimpleCSRF with
php composer.phar require dimns/simplecsrf
orcomposer require dimns/simplecsrf
(if the composer is installed globally). - Add the following to your application's main PHP file:
require 'vendor/autoload.php';
.
Usage with FORM
php
<?php
require 'vendor/autoload.php';
session_start();
// Init class
$csrf = new \DimNS\SimpleCSRF(); // Default session name: csrf_token
// Init class with other session name
$csrf = new \DimNS\SimpleCSRF('my_session_name');
// Getting a token for forms
$csrf_token = $csrf->getToken();
// Checking the token
if ($csrf->validateToken($_POST['_token'])) {
echo 'Token correct';
} else {
echo 'Invalid token';
}
html
<form action="index.php" method="post">
<input type="text" name="login">
<input type="password" name="password">
<input type="hidden" name="_token" value="<?=$csrf_token?>">
<input type="submit" value="GO!">
</form>
Usage with AJAX
php
<?php
require 'vendor/autoload.php';
session_start();
// Init class
$csrf = new \DimNS\SimpleCSRF(); // Default session name: csrf_token
// Init class with other session name
$csrf = new \DimNS\SimpleCSRF('my_session_name');
// Generate a token for forms
$csrf_token = $csrf->getToken();
// Checking the token
if ($csrf->validateToken($_SERVER['HTTP_X_CSRFTOKEN'])) {
// Token correct
} else {
// Invalid token
}
html
<head>
<meta name="_token" content="<?=$csrf_token?>">
</head>
javascript
// jQuery
$.ajaxSetup({
beforeSend: function (xhr, settings) {
if (!/^(GET|HEAD|OPTIONS|TRACE)$/i.test(settings.type)) {
xhr.setRequestHeader("X-CSRFToken", $('meta[name="_token"]').attr('content'));
}
}
});