{"id":17157082,"url":"https://github.com/invalidusrname/csrf","last_synced_at":"2025-03-24T14:17:52.706Z","repository":{"id":1334353,"uuid":"1280155","full_name":"invalidusrname/csrf","owner":"invalidusrname","description":"A PHP Kohana 3 module for CSRF prevention.  This module includes special handling and sample code for implementation with AJAX requests. Includes user agent validation, timeouts (expiration), and private key salted two-way encryption using mcrypt.","archived":false,"fork":false,"pushed_at":"2011-01-21T23:06:56.000Z","size":369,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-24T01:13:32.578Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/invalidusrname.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2011-01-21T22:00:23.000Z","updated_at":"2022-04-11T19:05:07.000Z","dependencies_parsed_at":"2022-07-06T23:33:30.354Z","dependency_job_id":null,"html_url":"https://github.com/invalidusrname/csrf","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/invalidusrname%2Fcsrf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/invalidusrname%2Fcsrf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/invalidusrname%2Fcsrf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/invalidusrname%2Fcsrf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/invalidusrname","download_url":"https://codeload.github.com/invalidusrname/csrf/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245284731,"owners_count":20590307,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-14T22:08:10.356Z","updated_at":"2025-03-24T14:17:52.679Z","avatar_url":"https://github.com/invalidusrname.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"CSRF for Kohana 3\n=================\n\nUsage\n-------------\n\n**Implementation for Pages with Forms**\n\nThere are a few different use cases for the CSRF module. The most common is to automatically add CSRF protection to \na form on your website. Below is a quick example:\n\n\t\u003c?php echo CSRF_Form::open('/login/', array('method' =\u003e 'post')); ?\u003e\n\t\t\u003cinput type=\"text\" name=\"email\" id=\"email\" class=\"focus\" value=\"Email Address*\" /\u003e\n\t\t\u003cinput type=\"text\" name=\"password\" id=\"password\" class=\"pw-focus\" value=\"Password*\" /\u003e\n\t\t\u003cbutton type=\"submit\" class=\"button\" value=\"Register Now\"\u003eSubmit\u003c/button\u003e\n\t\u003c?php echo CSRF_Form::close(); ?\u003e\n\nCSRF_Form overrides Kohana_Form and as such there are no differences in the parameters you may pass to the open() method.\nThe open() method includes special handling for generating a hidden form element as well as javascript for generating\nand returning a new token to be used in coordination with AJAX handlers:\n\n\t// below is the pertinent snippet of CSRF_Form::open()\n\tif ($attributes['method'] = 'post') {\n\t\t$output .= '\u003cinput type=\"hidden\" name=\"csrf_token\" id=\"csrf_token\" value=\"' . CSRF::token(TRUE) . '\" /\u003e';\n\t\t$output .= CSRF::javascript();\n\t}\n\n\t// below is the pertinent snippet of CSRF::javascript()\n\t$javascript  = '\u003cscript type=\"text/javascript\"\u003e';\n\t$javascript .= 'var csrf_token = \"' . $current_token . '\";';\n\t$javascript .= 'var csrf_invalidated = false;';\n\t$javascript .= 'function getToken(callback) { $.getJSON(\"'.url::site('csrf/generate/').'\", function(json) { csrf_token = json.token; csrf_invalidated = false; $(form).each(function(){ $(this).find(\"#csrf_token\").val(csrf_token); }); if ($.isFunction(callback)) callback.call(this, csrf_token); }); }';\n\t$javascript .= '\u003c/script\u003e';\n\n**Validating Form Submissions**\n\nIn order to validate that a form is not forged, you would include the following in your controller or model method:\n\n\tif (Request::$method == 'POST') {\n\t\tif (!isset($_POST['csrf_token']) || CSRF::valid($_POST['csrf_token'])) {\n\t\t\t// possible cross-site request forgery\n\t\t} else {\n\t\t\t// perform further form validation\n\t\t}\n\t}\n\n**Implementation for AJAX Only Pages**\n\nIf your page only has AJAX requests and no forms that need to be validated, you will need to add the javascript to your page\nbefore any of the AJAX handling code is added:\n\n\t\u003c?php echo CSRF::javascript(); ?\u003e\n\n**Caveats of AJAX CSRF Protection (and a workaround)**\n\nIt's worth noting that any call made to CSRF::valid() will delete the current csrf-token session variable. This means that if you\nhave multiple AJAX requests on a page, only the first one will be valid without implementing further frontend handling. To combat \nthis, you will need to ensure that you generate a new token after each AJAX request. \n\n\t\u003cscript type=\"text/javascript\"\u003e\n\t// below is a globally set variable you need to maintain for whether to get a new token\n\tvar csrf_invalidated = false;\n\n\tfunction ajaxyLogin(email, password) {\n\t\t// if invalidated, request a new token and pass ajaxyLogin as a callback.\n\t\tif (csrf_invalidated) {\n\t\t\tgetToken(ajaxyLogin);\n\t\t\treturn false;\n\t\t}\n\n\t\t$.post('/ajax/login/', { csrf_token: csrf_token, email: email, password: password }, function(data) {\n\t\t\t// you need to manually invalidate the token\n\t\t\tcsrf_invalidated = true;\n\t\t\t// suggested usage is to automatically regenerate token in callback\n\t\t\tgetToken();\n\t\t});\n\n\t}\n\t\u003c/script\u003e\n\nTo combat the scenario of an AJAX request invalidating a subsequent form submission, it is recommended that you run\ngetToken() in the callback handling of your AJAX request. This will ensure that any forms on your page will have their\nhidden input tokens updated accordingly.\n\n**Validating AJAX Submissions**\n\nIn order to validate that an AJAX post is not forged, you must remember to include the csrf_token javascript global variable in your \nrequest. From there, you're going to want to validate it in your controller or model method:\n\n\tif (Request::$method == 'POST' \u0026\u0026 Request::$is_ajax) {\n\t\tif (!isset($_POST['csrf_token']) || CSRF::valid($_POST['csrf_token'])) {\n\t\t\t// possible cross-site request forgery\n\t} else {\n\t\t// perform further form validation\n\t}\n\nRequirements\n------------\n* The PHP mcrypt module (php-mcrypt or php5-mcrypt depending on your distro)\n* jQuery \u003e= 1.3.2\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finvalidusrname%2Fcsrf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finvalidusrname%2Fcsrf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finvalidusrname%2Fcsrf/lists"}